Insufficient Transport Layer Protection: Mediafire Android Application

Hi there,

It was a quite long time since I published my last post sorry for keep you waiting.

So this is a story of  a bug which I found in Mediafire android application actually 
First of all I want to clarify that I never use rooted devices since it removes the most important security(access to /data/data folder) feature.

Now lets stick to the bug.

So after testing their API and WebApplication( I found about 10+ issues there) . Now its time to take a look at their android application.
So I installed their application directly from play store and configured Burp listen all the traffic coming from my device. Now lets start testing.

I was playing with the android application from past 3-4 hours but I was not able to find any issue. Actually they are using API there which I already tested.
Now I started looking for some issue like every request that goes with session token should have to be https. Suddenly I noticed a request and it disappeared in secs from http history tab of burp.
Now I started digging as that request doesn't have the HTTPS protection.
Now after looking for sometime I figured out that whenever you preview any image within the android app this request goes out.

http://ww7.mediafire.com/conversion_server.php?fc02&quickkey=<quick_Key_of_file>&doc_type=i&size_id=5&session_token=<session_token_here>




Now this request is not going on HTTPS and this request has the session token as well.

How to Exploit:-

Now if the victim is using a public wifi( malicious user's wifi) that malicious user can intercept the request and can takeover his account with the session. Now there is a catch as well the session token is only valid for 10 minutes and if you try to send a request after a idle time of 10 minutes you have to enter the password to re-authenticate yourself after that a new session token will be generated.

But there is an endpoint where you can renew the session token but you have to send the request before the 10 minutes idle time.

https://www.mediafire.com/api/1.5/user/renew_session_token.php?session_token=<TOKEN_YOU_GOT>

Now you have everything you can takeover the user session without getting session timeout.

Timeline
5 April 2016 17:25:36: Bug found
5 April 2016 17:36:37: Reported to Mediafire
7 April 2016 22:57:00: More information sent about renew the session token to bypasss the password requirement.
8 April 2016 00:52:33: Report is Triaged
8 April 2016 00:53:04: Bug is fixed
8 April 2016 (I don't remember the time ): Update issue for the Android Application.


It was my pleasure to work with Mediafire Security team as they are very fast in fixing and issuing the update.


Thats all for this post let me know you  opinion in comment section

Thanks
Jitendra Kumar Singh(Team Computer Korner)


Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!