lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200907211039.n6LAdpjD002357@www3.securityfocus.com>
Date: Tue, 21 Jul 2009 04:39:51 -0600
From: gursev.kalra@...ndstone.com
To: bugtraq@...urityfocus.com
Subject: mChek 3.4 Information Disclosure

Advisory Title: mChek 3.4 Information Disclosure
Advisory ID: FSSA-2009-0401
Author: Gursev Kalra (gursev.kalra@...ndstone.com)
Vendor Contact Date: 4/21/2009 (Vendor notified by email)
Release Date: 07/21/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low (Information Disclosure)
Vendor Status: Version 3.8 fixes this problem

Overview: mChek application stores Credit/Debit Card numbers and bank name without protection

Application: mChek 3.4 by http://www.mchek.com/ 
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low

Details:
mChek is an E-commerce application which allows users to store multiple credit/debit cards in the phone and use them when required. mChek (Version 3.4) application stores multiple Credit Card numbers and corresponding bank account information to phone storage without protection. It also provides a feature to Link Bank Accounts to this application. mChek application writes all this information to a file on the phone file system. Upon inspection, it was observed that credit card number and corresponding bank name was written in cleartext to mobile phone storage.  It was also observed that after a credit card is deleted from mCheck’s user interface, the credit card number continues to exist in the phone file system. If the phone is lost/stolen or any other phone user is able to read phone’s file system, the stored credit/debit card numbers and Bank name can be compromised. 

Vendor Response: 
mChek Version 3.4 is an older version of the product. The current version is 3.8. In this version, cardnumber, bankname and phonenumber are not stored in clear text and using encrypted  storage. When the credit card information is deleted by the user, it’s deleted from the application DB as well but the behavior is not same in all phone make and models. We are providing enough protection to the sensitive data stored and the security is not dependent on the user ability to read the file system of the phone. 
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.

Recommendation:
Upgrade to version 3.8 or above.

For questions and comments please send an email to:
research@...ndstone.com

Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ