M 710: Unsafe Logging by Fiserv iPhone Apps (10 pts)
What You Need
- An iPhone. It need not be jailbroken.
- A Mac computer
- An iPhone cable
Purpose
To view iPhone device logs and see
passwords exposed by
Fiserv
apps.
Responsible Disclosure
I notified Fiserv about this
on
Jan 12, 2020 and they did nothing.
Installing an Unsafe Fiserv App
Install one of these apps
(clicking the image goes to the
Apple Store page for the app)
Viewing the iPhone Log
There are various ways to do this,
as explained on this page:
How to obtain iOS device logs using Mac and Windows
Here's how I did it for a normal, non-jailbroken
iPhone:
- Connect your iPhone to your Mac with a
USB cable.
- On the iPhone, click Trust
- Install Apple Configurator 2
on the Mac
- Launch Apple Configurator. Double-click the image of your iPhone.
- On the left side, click Console
For a jailbroken iPhone:
- Connect your iPhone to your Mac with a
USB cable.
- At the top right of the Mac desktop,
click the magnifying-glass "Spotlight"
icon.
- Type console and launch the
Console app.
You should see a lot of log messages scrolling
by,
as shown below.
Filtering the Log View
Choose a word to use as a test password
string
based on your name, such as bobinator
and search for it in the log.
There should be no results,
as shown below.
Logging In to an Usafe App
On your iPhone, launch the unsafe
app. Perform a login with any username
and a password containing your
test password string, as shown below.
Your login will be rejected.
Flag M 710.1: Log Entry (10 pts)
The password appears in the log. The flag is
covered by a green rectangle
in the image below.
|
Posted 2-12-2020