Insecure Data Storage in Vine Android App

From Hackipedia
Jump to: navigation, search
Hackerone #44727
Target: Twitter
Target Module:
Type: Mobile
Payload:
Original: Link
CVE:
Archive Screenshot


Android applications use a local SQLite database to store information.

This particular database was located here:

/data/data/co.vine.android/databases/webview.db

Getting this bounty is as easy as opening up the database and finding improperly stored credentials.

How To Perform

  1. Get a rooted phone
  2. Follow these steps laid out by Vishwa Patel
    1. To view the contents of your local database you need to download a software called Sqlite Studio: http://sqlitestudio.one.pl/
    2. Download and install Sqlite Studio on your computer
    3. Connect your phone to your computer, make sure you turn on USB Debugging. USB Debugging can be activated from Settings -> Applications -> USB Debugging (or Settings -> Developer Options -> USB Debugging if you are using Ice cream sandwich).
    4. Open DDMS view in Eclipse and open the File Explorer tab in DDMS and then go to data -> data -> (name-of-your-application) -> databases. Now pull the data file from the databases folder onto your computer.
    5. Open Sqlite Studio and import the data file that you have just pulled from your android phone.
    6. View the contents of your database!