A subsidiary of ZTE's mall APP used arbitrary User Password Reset and unauthorized access to a large amount of sensitive information.

Source: Internet
Author: User

A subsidiary of ZTE's mall APP used arbitrary User Password Reset and unauthorized access to a large amount of sensitive information.

A subsidiary of ZTE's mall APP used arbitrary User Password Reset and unauthorized access to a large amount of sensitive information.

http://www.zteup.com/view/toindex

ZTE shangpin network, a shopping website, has many problems with its APP applications. It exposes a large amount of sensitive information and resets the password of any user.

Scan the QR code to download the APP:


# First talk about unauthorized access and problematic Interfaces

/buyer/after/buyer/tomodifybuyer/buyer/after/buyer/showbuyer/buyer/after/receiveaddress/getreceiveaddresslist
Host:app.zteup.com:8070


Here, the/buyer/after/receiveaddress/getreceiveaddresslist interface with the most information is used as an example:

You can view the user's name, phone number, shipping address, ID card number, and hd id card photos by traversing the ID number:

 



The above image returned by traversing the ID of the message contains the image URL link, but in front of the stitching http://app.zteup.com: 8070/is not accessible, then look for the picture where, then intercept the HTTP message requesting the ID card image:

If the HOST is found in the http://img3.zteup.com, then the ID card address is in:
 

http://img3.zteup.com/upload/20150211110753964528486.jpg

 

 

http://img3.zteup.com/upload/20150204170007915167538.jpg

 







# Let's talk about the design defect of resetting any user's password. The logic of this APP to retrieve the password is (1) enter your mobile phone number and the system will send a verification code to your mobile phone number

(2) enter the verification code you received. If it is correct, you will jump to the password modification page.

(3) enter the new password and submit it for modification.

Due to the lack of authentication in step 3, any password can be reset after obtaining the password change interface.

After you enter the new password and submit the change, the following HTTP message is blocked:

This is the password modification interface. If no verification is performed, you can change the account to any account to change the password.

There are not many mobile phone numbers. Here, let's take a look at it and try the above number. Here, let's ask him to find it again:

Log on to the APP and take a look:


 

Solution:

Verification ~

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.