[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mobile Rediff Username and Password Disclosure
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: Mobile Rediff Username and Password Disclosure
- From: gursev.kalra@xxxxxxxxxxxxxx
- Date: 15 Jul 2009 18:19:16 -0000
Advisory Title: Mobile Rediff Username and Password Disclosure
Advisory ID: FSSA-2009-0402
Author: Gursev Kalra (gursev.kalra@xxxxxxxxxxxxxx)
Application: MobileRediff 1.04 by http://www.rediff.com/
Vendor Contact Date: 4/24/2009 (Vendor notified by email)
Release Date: 7/15/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave
in same way.
Severity: Medium (Information Disclosure)
Vendor Status: No Response received
Overview:
Rediffmail component of MobileRediff (Version 1.04) application allows username
and password disclosure.
Details:
RediffMail component of MobileRediff (Version 1.04) application has a ?Remember
Me? function. When a user selects this option, the mobile application writes
user?s username and password to phone storage in clear text without encryption.
If the phone is lost, stolen or when any other person is able to access the
file system on the phone, the stored username and password can be compromised.
Vendor Response:
No Response
Workaround:
Do not enable store username and password option on the Rediffmail component of
Mobile Rediff application.
For questions and comments please send an email to:
research@xxxxxxxxxxxxxx
Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories
- Prev by Date:
[GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari,Opera, Chrome,Seamonkey,iPhone,iPod,Wii,PS3....
- Next by Date:
[SECURITY] [DSA 1834-1] New apache2 packages fix denial of service
- Previous by thread:
Re: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari,Opera, Chrome,Seamonkey,iPhone,iPod,Wii,PS3....
- Next by thread:
[SECURITY] [DSA 1834-1] New apache2 packages fix denial of service
- Index(es):