AOH :: HP Unsorted M :: BT-21304.HTM

Mobile Rediff Username and Password Disclosure



Mobile Rediff Username and Password Disclosure
Mobile Rediff Username and Password Disclosure



Advisory Title: Mobile Rediff Username and Password Disclosure=0D
Advisory ID: FSSA-2009-0402=0D
Author: Gursev Kalra (gursev.kalra@foundstone.com)=0D 
Application: MobileRediff 1.04 by http://www.rediff.com/ =0D 
Vendor Contact Date: 4/24/2009 (Vendor notified by email)=0D
Release Date: 7/15/2009=0D
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.=0D
Severity: Medium (Information Disclosure)=0D
Vendor Status: No Response received=0D
=0D
Overview:=0D
Rediffmail component of MobileRediff (Version 1.04) application allows username and password disclosure.=0D
=0D
Details:=0D
RediffMail component of MobileRediff (Version 1.04) application has a =93Remember Me=94 function. When a user selects this option, the mobile application writes user=92s username and password to phone storage in clear text without encryption. If the phone is lost, stolen or when any other person is able to access the file system on the phone, the stored username and password can be compromised.=0D
=0D
Vendor Response: =0D
No Response=0D
=0D
Workaround: =0D
Do not enable store username and password option on the Rediffmail component of Mobile Rediff application.=0D
=0D
For questions and comments please send an email to:=0D
research@foundstone.com=0D 
=0D
Foundstone Vulnerability Research Advisory Archive:=0D
http://www.foundstone.com/research/advisories=0D 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.