[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

mChek 3.4 Information Disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: mChek 3.4 Information Disclosure
From: gursev.kalra@xxxxxxxxxxxxxx
Date: Tue, 21 Jul 2009 04:39:51 -0600

Advisory Title: mChek 3.4 Information Disclosure
Advisory ID: FSSA-2009-0401
Author: Gursev Kalra (gursev.kalra@xxxxxxxxxxxxxx)
Vendor Contact Date: 4/21/2009 (Vendor notified by email)
Release Date: 07/21/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave 
in same way.
Severity: Low (Information Disclosure)
Vendor Status: Version 3.8 fixes this problem

Overview: mChek application stores Credit/Debit Card numbers and bank name 
without protection

Application: mChek 3.4 by http://www.mchek.com/ 
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave 
in same way.
Severity: Low

Details:
mChek is an E-commerce application which allows users to store multiple 
credit/debit cards in the phone and use them when required. mChek (Version 3.4) 
application stores multiple Credit Card numbers and corresponding bank account 
information to phone storage without protection. It also provides a feature to 
Link Bank Accounts to this application. mChek application writes all this 
information to a file on the phone file system. Upon inspection, it was 
observed that credit card number and corresponding bank name was written in 
cleartext to mobile phone storage.  It was also observed that after a credit 
card is deleted from mCheck?s user interface, the credit card number continues 
to exist in the phone file system. If the phone is lost/stolen or any other 
phone user is able to read phone?s file system, the stored credit/debit card 
numbers and Bank name can be compromised. 

Vendor Response: 
mChek Version 3.4 is an older version of the product. The current version is 
3.8. In this version, cardnumber, bankname and phonenumber are not stored in 
clear text and using encrypted  storage. When the credit card information is 
deleted by the user, it?s deleted from the application DB as well but the 
behavior is not same in all phone make and models. We are providing enough 
protection to the sensitive data stored and the security is not dependent on 
the user ability to read the file system of the phone. 
Having said that, even in Version 3.4, only creditcard number and bank name 
were stored as cleartext. The risk was very low as it is not possible to make a 
transaction with cardnumber alone. All other sensitive data like exp date for 
example are encrypted and stored and encryption key never stored in mobile 
phone and making the information very secure.

Recommendation:
Upgrade to version 3.8 or above.

For questions and comments please send an email to:
research@xxxxxxxxxxxxxx

Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories

Prev by Date: [INFIGO-2009-07-09]: NASA Common Data Format remote buffer overflow(s)
Next by Date: Re: Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
Previous by thread: [INFIGO-2009-07-09]: NASA Common Data Format remote buffer overflow(s)
Next by thread: Re: Re: [Full-disclosure] [ISecAuditors Security Advisories] Gmail vulnerable to automated password cracking
Index(es):
- Date
- Thread