A subsidiary of ZTE's mall APP used arbitrary User Password Reset and unauthorized access to a large amount of sensitive information.

A subsidiary of ZTE's mall APP used arbitrary User Password Reset and unauthorized access to a large amount of sensitive information.

A subsidiary of ZTE's mall APP used arbitrary User Password Reset and unauthorized access to a large amount of sensitive information.

http://www.zteup.com/view/toindex

ZTE shangpin network, a shopping website, has many problems with its APP applications. It exposes a large amount of sensitive information and resets the password of any user.

Scan the QR code to download the APP:

# First talk about unauthorized access and problematic Interfaces

/buyer/after/buyer/tomodifybuyer/buyer/after/buyer/showbuyer/buyer/after/receiveaddress/getreceiveaddresslist

Host:app.zteup.com:8070

Here, the/buyer/after/receiveaddress/getreceiveaddresslist interface with the most information is used as an example:

You can view the user's name, phone number, shipping address, ID card number, and hd id card photos by traversing the ID number:

 

The above image returned by traversing the ID of the message contains the image URL link, but in front of the stitching http://app.zteup.com: 8070/is not accessible, then look for the picture where, then intercept the HTTP message requesting the ID card image:

If the HOST is found in the http://img3.zteup.com, then the ID card address is in:
 

http://img3.zteup.com/upload/20150211110753964528486.jpg

 

 

http://img3.zteup.com/upload/20150204170007915167538.jpg

 

# Let's talk about the design defect of resetting any user's password. The logic of this APP to retrieve the password is (1) enter your mobile phone number and the system will send a verification code to your mobile phone number

(2) enter the verification code you received. If it is correct, you will jump to the password modification page.

(3) enter the new password and submit it for modification.

Due to the lack of authentication in step 3, any password can be reset after obtaining the password change interface.

After you enter the new password and submit the change, the following HTTP message is blocked:

This is the password modification interface. If no verification is performed, you can change the account to any account to change the password.

There are not many mobile phone numbers. Here, let's take a look at it and try the above number. Here, let's ask him to find it again:

Log on to the APP and take a look:

 

Solution:

Verification ~