当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0123432

漏洞标题:帮室友找对象App可致用户敏感信息泄露

相关厂商:心悦君兮

漏洞作者: orange

提交时间:2015-07-03 12:38

修复时间:2015-08-17 12:40

公开时间:2015-08-17 12:40

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:15

漏洞状态:未联系到厂商或者厂商积极忽略

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-07-03: 积极联系厂商并且等待厂商认领中,细节不对外公开
2015-08-17: 厂商已经主动忽略漏洞,细节向公众公开

简要描述:

To单身的你
我们产品的初衷是让大家能在学校找到对象。
也许你的专业异性很少,也许你不擅长搭讪,也许了解女生的唯一渠道就是各类以YP出名的软件,没关系,至少还有我们与你并肩。
如果室友是单身或者你自己也单身,无数的小伙伴都把信息发上来,说不定,在弹指间就对上眼了呢。
————— 默默无闻的开发者致上

详细说明:

## 官网链接

http://www.xinyuejunxi.com/


## 测试环境

系统版本:Android 5.1.1
软件版本:官网最新版
抓包工具:Burp Suite Pro v1.6.12


## 测试流程
登录后查看 首页 最新动态处

Screenshot_2015-06-29-10-31-56.png


Burp Suite端设置Intercept is on,开始抓包
点击某个用户头像,进入个人资料
Burp Suite端拦截了此次请求,我们右键把请求内容decode一下

Screenshot from 2015-06-29 11:19:50.png


GET /1.1/users?include=pictures,avatar&where={"objectId":"5582c1b2e4b04ccce3c7b248"} HTTP/1.0
Host: api.leancloud.cn
Connection: Keep-Alive
User-Agent: AVOS Cloud android-v3.0.3 SDK
Accept-Encoding: gzip
X-Uluru-Application-Production: 1
Content-Type: application/json
Accept: application/json
X-avoscloud-Application-Id: mp4nefs1bqjgtfgtc1skmhv1w6tjj93sswk32pnph0otfm8g
X-avoscloud-Session-Token: 9jnvjx7xib94xpamzzkp2oae5
x-avoscloud-request-sign: 718efabd8874590a633bc7458163807c,1435547686137


分析请求URL ,可以推测 objectId 为每个用户的唯一标识,include为请求内容

https://api.leancloud.cn/1.1/users?include=pictures,avatar&where={"objectId":"5582c1b2e4b04ccce3c7b248"}


继续右键把请求内容发送到 Repeater

screenshot from 2015-06-29 11:29:42.png


响应内容

{
    "results": [
        {
            "heightRange": 4,
            "blockUsers": {
                "__type": "Relation",
                "className": "_User"
            },
            "updatedAt": "2015-06-23T11:19:32.033Z",
            "age": 19,
            "constellation": 0,
            "school": "扬州大学",
            "objectId": "5582c1b2e4b04ccce3c7b248",
            "signature": "",
            "nickname": "staying out",
            "city": "扬州",
            "username": "13291381370",
            "createdAt": "2015-06-18T13:03:46.396Z",
            "likeFeeds": {
                "__type": "Relation",
                "className": "RMFeed"
            },
            "favoritedFeeds": {
                "__type": "Relation",
                "className": "RMFeed"
            },
            "emailVerified": false,
            "involvedFeeds": {
                "__type": "Relation",
                "className": "RMFeed"
            },
            "filter": {
                "__type": "Pointer",
                "className": "RMFeedFilter",
                "objectId": "55837b68e4b04ccce3d812e9"
            },
            "friends": {
                "__type": "Relation",
                "className": "_User"
            },
            "focusUsers": {
                "__type": "Relation",
                "className": "_User"
            },
            "mobilePhoneNumber": "13291我是马赛克370",
            "pictures": [
                {
                    "mime_type": "image/jpeg",
                    "updatedAt": "2015-06-18T13:04:13.566Z",
                    "key": "sq3VNKTpvAVDwAfWSAiVMRA.jpg",
                    "name": "8B70C99C-9BDE-4D4A-8528-9D42399D6BEE.jpg",
                    "objectId": "5582c1cde4b04ccce3c7b728",
                    "createdAt": "2015-06-18T13:04:13.566Z",
                    "__type": "File",
                    "url": "http://ac-mp4nefs1.clouddn.com/sq3VNKTpvAVDwAfWSAiVMRA.jpg",
                    "metaData": {
                        "size": 56238,
                        "_checksum": "df7374641140815e3d2505bf3a1b59b2",
                        "owner": "5582c1b2e4b04ccce3c7b248"
                    },
                    "bucket": "mp4nefs1"
                },
                {
                    "mime_type": "image/jpeg",
                    "updatedAt": "2015-06-18T13:04:45.844Z",
                    "key": "lGEmCHAZ7xDzTJ61cemVDtC.jpg",
                    "name": "8F0E0ED5-7B3C-4396-99B7-B0EB962CD9C6.jpg",
                    "objectId": "5582c1ede4b04ccce3c7bb03",
                    "createdAt": "2015-06-18T13:04:45.844Z",
                    "__type": "File",
                    "url": "http://ac-mp4nefs1.clouddn.com/lGEmCHAZ7xDzTJ61cemVDtC.jpg",
                    "metaData": {
                        "size": 127842,
                        "_checksum": "5f308e498a4b5c566bb3b00be3b36872",
                        "owner": "5582c1b2e4b04ccce3c7b248"
                    },
                    "bucket": "mp4nefs1"
                },
                {
                    "mime_type": "image/jpeg",
                    "updatedAt": "2015-06-18T13:05:01.847Z",
                    "key": "rnEPceAPapY5hS2PQSsjRrD.jpg",
                    "name": "FB0C5730-64C9-4567-8E75-08EC29131DB9.jpg",
                    "objectId": "5582c1fde4b04ccce3c7bd74",
                    "createdAt": "2015-06-18T13:05:01.847Z",
                    "__type": "File",
                    "url": "http://ac-mp4nefs1.clouddn.com/rnEPceAPapY5hS2PQSsjRrD.jpg",
                    "metaData": {
                        "size": 89776,
                        "_checksum": "5ef989976bc1504b88ba803ff93f55f7",
                        "owner": "5582c1b2e4b04ccce3c7b248"
                    },
                    "bucket": "mp4nefs1"
                },
                {
                    "mime_type": "image/jpeg",
                    "updatedAt": "2015-06-18T13:05:31.428Z",
                    "key": "Wr543ISR2EIdILMgTSsRHtD.jpg",
                    "name": "2F79E5D9-FFDE-441E-A71B-73CCFDB7B722.jpg",
                    "objectId": "5582c21be4b04ccce3c7c1d2",
                    "createdAt": "2015-06-18T13:05:31.428Z",
                    "__type": "File",
                    "url": "http://ac-mp4nefs1.clouddn.com/Wr543ISR2EIdILMgTSsRHtD.jpg",
                    "metaData": {
                        "size": 102832,
                        "_checksum": "decbb776df18794594d6344cf5dacced",
                        "owner": "5582c1b2e4b04ccce3c7b248"
                    },
                    "bucket": "mp4nefs1"
                }
            ],
            "avatar": {
                "mime_type": "image/jpeg",
                "updatedAt": "2015-06-18T13:04:13.566Z",
                "key": "sq3VNKTpvAVDwAfWSAiVMRA.jpg",
                "name": "8B70C99C-9BDE-4D4A-8528-9D42399D6BEE.jpg",
                "objectId": "5582c1cde4b04ccce3c7b728",
                "createdAt": "2015-06-18T13:04:13.566Z",
                "__type": "File",
                "url": "http://ac-mp4nefs1.clouddn.com/sq3VNKTpvAVDwAfWSAiVMRA.jpg",
                "metaData": {
                    "size": 56238,
                    "_checksum": "df7374641140815e3d2505bf3a1b59b2",
                    "owner": "5582c1b2e4b04ccce3c7b248"
                },
                "bucket": "mp4nefs1"
            },
            "gender": 2,
            "province": "江苏",
            "likedFeeds": {
                "__type": "Relation",
                "className": "RMFeed"
            },
            "authData": null,
            "mobilePhoneVerified": true
        }
    ]
}


## 测试结果
App请求响应 包含用户敏感信息

"mobilePhoneNumber":"马赛克"

漏洞证明:

如上

修复方案:

删除无关响应内容,保护好用户隐私

版权声明:转载请注明来源 orange@乌云

漏洞回应

厂商回应:

未能联系到厂商或者厂商积极拒绝

漏洞Rank:15 (WooYun评价)