During my research work with Comparitech company in Canada as a freelance i discovered a vulnerability in a free mobile security software called VIPRE which had more than 30000 downloads on play store.
in addition to Anti-Virus functionality the software allows you to backup all your contacts to their cloud portal and allows you to download them again in .vcf Format.
So their is a logical vulnerability that allow a user to download contacts for other users, as the application is not doing any authorization.
if we intercept the request generated from the application when trying to download one of our backed up contacts
by checking the request we find the following
GET /devices/381823/contacts/54285694/download_contact HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0
Accept-Encoding: gzip, deflate
The parameter highlighted in red is vulnerable as this number can be changed to any other number and we will be able to download a .vcf contact for another user.
so i wrote this small script that iterates from 1 to 6000000 to downloads all contacts from their database
I downloaded nearly million record, these records doesn’t only contain name and phone number, it actually includes the following
- Home/Mobile Number
- base 64 encoded Photo
This is an example of the output
I ended up with nearly a million .vcf file that contains private and sensitive information regarding VIPRE customers.
The vulnerability is reported to VIPRE and they fixed it.