A pair of bugs in the Snap-owned tracking app reveal phone numbers and allow account hijacking.
Zenly, a social app from Snap that allows users to see the locations of friends and family on a live map, contains a pair of vulnerabilities that could endanger those being tracked.
According to the Checkmarx Security Research Team, the bugs are a user-data exposure vulnerability and an account-takeover vulnerability. Both have been patched, and users should upgrade their apps to the latest version to avoid compromise.
The first bug is a medium-severity problem that reveals the phone numbers of users.
“When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not,” explained the researchers, in a Thursday posting. “To obtain this information, a malicious actor only needs to know their username.”
Obtaining usernames is easier than it might be, they added, since Zenly exposes an “exhaustive list of friends of a user.”
As for how an attack might play out in practice, Checkmarx offered a hypothetical of a cyberattacker targeting a CEO.
Steps in the kill chain would include the following, researchers said:
- Search the web for an employee of the company and try to obtain their social-media handle (for example, on Twitter);
- Employees who work on communications or marketing fields are typically more exposed and represent easier targets;
- Check if their handle is valid on Zenly;
- Access their list of friends through Zenly, obtain the handle of the CEO;
- Retrieve the phone number of the CEO through their username by exploiting the vulnerability;
- Carry out a spear-phishing attack, using the phone number of the CEO;
- And, an attacker can also repeat these steps to obtain the phone number of other employees and thus prepare a more credible attack.
Anatomy of an Exploit
The vulnerability makes use of the “Add by Username” flow, which starts by searching a known username, according to Checkmarx.
Then, “an environment that enables intercepting and decoding network requests…to gain visibility over network activity” can be used to view requests that occur during the username search.
“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.”
Once the target username has been identified, the same interceptor can get used to obtain the associated phone number via a view called “Add by Username” view, then tapping the “Add as Friend” button, according to researchers.
“This friend invitation will trigger a request to the /FriendRequestCreate endpoint, whose response contains specific information regarding both our user and the target user,” they added. “Note that the response contains both our phone number and the phone number of the target user, even though our friend request was never accepted by the target user.”
Account Takeover Issue
The second vulnerability is also rated as medium-severity. A successful exploit would allow an attacker to access a user’s location, notifications, conversations and friends’ information just like the legitimate user could.
The bug exists in the user-authentication flow, according to Checkmarx, That authentication uses SMS messages containing verification codes to validate sessions.
After the SMS message is sent to the user, the app calls the /SessionVerify endpoint with both the session token and the verification code received by SMS.
An attacker can abuse the /SessionCreate endpoint to steal session tokens, the researchers explained: “Once the legitimate user validates the SMS code for that session token, the session will become valid for both the legitimate user and the attacker…This means that the attacker now has a valid session for the account of the legitimate user, even though the attacker never knew the verification code.”
The reason why the bug is only rated medium is that an exploit is difficult to carry out. Attackers would need to know the mobile phone number of the victim (possible via the first bug). They also must know when the victim will login, sign up, register a new device or go through the authentication flow for any other reason.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.