Vulnerability In VIPRE Mobile Security That unintentionally Lead To Leaking Millions of Contacts

During my research work with Comparitech company in Canada as a freelance i discovered a vulnerability in a free mobile security software called VIPRE which had   more than 30000 downloads on play store.

in addition to Anti-Virus functionality the software allows you to backup all your contacts to their cloud portal and allows you to download them again in .vcf Format.

So their is a logical vulnerability that allow a user to download contacts for other users, as the application is not doing any authorization.

if we intercept the request generated from the application when trying to download one of our backed up contacts

by checking the request we find the following

GET /devices/381823/contacts/54285694/download_contact HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: _vipremobile2_session=BAh7CUkiD3Nlc3Npb25faWQGOgZFRkkiJTMzZTA2MmMxY2RhOTQ0NjQ4OGVlNDgyNDAzOTdhNmFjBjsAVEkiEF9jc3JmX3Rva2VuBjsARkkiMTFQckRidjJpZG9GTVlWRnV1NWhRa1dGaUdpNnEvTjVlTk1OMEhsczV4WUE9BjsARkkiGXdhcmRlbi51c2VyLnVzZXIua2V5BjsAVFsISSIJVXNlcgY7AEZbBmkDTJIDSSIiJDJhJDEwJHVCRVdCamtTdjhWU1NBQnZsU3FPRi4GOwBUSSIdd2FyZGVuLnVzZXIudXNlci5zZXNzaW9uBjsAVHsGOg50aW1lX3pvbmVJIg9Bc2lhL0R1YmFpBjsAVA%3D%3D–cf183fb97ff3b436ad7f820c52a8e521cf6c05ee
Upgrade-Insecure-Requests: 1

The parameter highlighted in red is vulnerable as this number can be changed to any other number and we will be able to download a .vcf contact for another user.

so i wrote this small script that iterates from 1 to 6000000 to downloads all contacts from their database

ScriptI downloaded nearly million record, these records doesn’t only contain name and phone number, it actually includes the following

  • Name
  • Home/Mobile Number
  • Address
  • Email
  • base 64 encoded Photo

This is an example of the output

I ended up with nearly a million .vcf file that contains private and sensitive information regarding VIPRE customers.

The vulnerability is reported to VIPRE and they fixed it.

Leave a Reply

Your email address will not be published. Required fields are marked *