A popular Google Play app, Camera360 Ultimate, has been found to inadvertently leak sensitive data. This gives malicious parties unauthorized access to users’ Camera360 Cloud accounts and photos.
FireEye, which had previously discovered SSL-based man-in-the-middle vulnerabilities in the widely used Camera360 app and many other popular applications, uncovered the weakness.
Camera360 is a popular photo shooting and editing application with millions of users worldwide. It provides a free cloud service for storage of pictures too; to use the cloud feature, users create a cloud account that can also be accessed via the website www.cloud.camera360.com. This is where the issue lies.
Cloud access is protected by username and password. But when the app accesses the cloud, it leaks sensitive data, in unencrypted form, to Android system log (logcat) and network traffic.
Apps that can read logcat or capture network traffic can steal this data. Also, a malicious party present in the same Wi-Fi network as the device can steal this data by using Wi-Fi sniffing.
“Leaked data can be used to download all of the user’s images, except those in the user’s ‘secret album,’” FireEye explained in a blog. “The secret album option uses an additional password to secure important images. This particular Android app does not access these secret images and all images uploaded from the device to the cloud are by default non-secret.”
Leaked data can be used in the following ways:
Bypassing the web cloud login page to access user’s account and photos
Fetching permanent image keys from server and using them to download images
Permanent and non-expiring image keys are leaked, which can be used to download images without providing credentials or token.
Unencrypted pictures are sent to network traffic, which attackers can steal using a network sniffer.
Leaked email addresses and password hashes can be used to send an unauthorized login request to the server.
User passwords can be obtained by cracking the leaked password hash. Password hashes and leaked email addresses can be used to log in to the cloud service.
“It is crucial that Android app developers improve security to provide users with a better and more protected Android experience,” FireEye concluded.