Level One Personal Banking iOS App Logs Passwords Insecurely
Background
The
Level One Personal Banking iOS app has a security
problem--it exposes passwords in a log on
the phone.
This practice
is unacceptable for any app, according to the
OWASP https://github.com/OWASP/owasp-masvs,
specifically, this item:
2.1 MSTG-STORAGE-3: No sensitive data is written to application logs.
Testing Method
I used a jailbroken iPhone running iOS
12.4.4 with no passcode.
I installed and launched this app:
I performed a login request.
Password Exposure
The password was exposed in the log,
as shown below.
Notification
I sent this message on 1-12-2020:
Posted 1-12-2020 by Sam Bowne