Exxon Mobile Speedpass App Breaks TLS

The Exxon Mobile Speedpass iOS App is used to pay for gas, and it claims to be the fastest, most secure way to pay.

However, it sends login credentials, phone numbers, and credit card numbers over the Internet without properly encrypting them.

This practice is illegal in the USA, and the FTC has punished companies for this before.

Responsible Disclosure

I notified Exxon about this in Feb., 2019 and got no response. I also notified a prominent security journalist about it and got no response.

The App

Here are screenshots of the app in action, collecting confidential data from the user.

The Network Traffic

Here's the network traffic, from Burp performing a man-in-the-middle attack, sending an invalid TLS certificate to the app, which it accepts and uses.

Exposing a Password

The password is Base64-encoded, but not encrypted.

Exposing a Credit Card Number

I sent in a fake credit card number and it was also transmitted insecurely.

Found 2-8-19 by Sam Bowne
Posted publicly 5-7-19