Leaking Credit card Activity in logs? Yes Sir!

Hello again,
This is the easiest bug you can find while testing an android application. When you report it, you’re gonna be the problem for the developers because this bug must not happen.

I was invited to a private program, and I saw that they have an Android application so I decided to test on it.

I used Genymotion to install the App and used it with burp suite.

I started understanding what this app does and how it works. The app is used to send an receive money at the same time you can use it for donations, birthday gift sharing, buy me a pizza etc..

After doing a lot of tests, (to make it short) I decided to open 2 accounts to start testing the “buy me a pizza” feature. Using burp I intercepted the requests and everything was fine and correctly set.

Almost everything was perfect, until I opened my phone and using termux I was checking my /res directory in the app installed also on my phone so this idea came to me which made me find the “leak”

using Santoku OS (you can find more info about it online) I used it to connect to my phone, there I started the logging and monitored what was going on while I am using the app and when I decided to add Credit card information and I saw that it was being logged.

Other than the problem of your CC information being logged, the issue is that you can see these logs while your phone is not rooted .

Also , every activity was getting leaked in the logs related to the CC and transactions made

Got a bounty of 800$.

Posted in Blog