Exxon Mobile Speedpass App Breaks TLS
The
Exxon Mobile Speedpass iOS App
is used to pay for gas,
and it claims to be
the fastest, most secure way to pay.
However, it sends login credentials,
phone numbers, and credit card numbers over
the Internet without properly encrypting them.
This practice is illegal in the USA, and the FTC
has punished companies for
this before.
Responsible Disclosure
I notified Exxon about this in Feb., 2019 and got no response. I also notified a prominent security journalist about it and got no response.
The App
Here are screenshots of the app in action,
collecting confidential data from the user.
The Network Traffic
Here's the network traffic, from Burp
performing a man-in-the-middle attack,
sending an invalid TLS certificate to
the app, which it accepts and uses.
Exposing a Password
The password is Base64-encoded, but not
encrypted.
Exposing a Credit Card Number
I sent in a fake credit card number and it
was also transmitted insecurely.
Found 2-8-19 by Sam Bowne
Posted publicly 5-7-19