Hello Hackers ! I’m again with another android bug bounty report. I know that some of you already reported this bug but got N/A. In this post I’ll tell you everything about this issue , like when you should report this and when you shouldn’t. I faced the same problem but after providing a right POC my reports got accepted by HackerOne.
What is OWASP M2 ?
It’s an android issue where application stores log details in memory that includes username, password, session token, etc. For more info go to OWASP website.
How to Reproduce This Issue ?
So, Here it’s a simple steps you can follow to identify this issue:–
1. Connect your android device with ADB tool.
2. Open target application and run below command in the terminal:
$ps | grep <APK_PACKAGE>
$logcat | grep <PID>
3. Then perform any operation like log into account, register, update profile, submit any form, etc
4. Return to your terminal and see if you can find your submitted details in the terminal.
5. If you got any sensitive details then congratulations you found the vulnerability.
Now POC APK:
I’m not an android developer but found this application in play store. You can use it as a POC. Just run the POC app in background and perform all operations I’ve just mentioned. Then return to the POC app and search your details.
Happy ? Wait … Wait … Wait …
When You Should Not Report This:
If this is mentioned in Out of Scope section:
Vulnerabilities that require rooted / jailbroken devices, or debug access to a user’s device;
Usually this issue comes under Medium Severity in Hackerone. I’ve submitted total three reports to HackerOne. One of them was so sensitive that application was logging user’s internet Banking details (Username and password).
Thank You and Happy Hacking…