Yuantong express android client has severe design defects and can reset any User Password
Android client of yuantong Express
Latest Version
3.2.2
Reset any User Password
Detailed description:
1. Target APP: yuantong express delivery android Client
Latest Version
3.2.2
It is said that the vulnerability has been fixed in ios
WooYun: yuantong express IOS client has severe design defects. You can reset any user password or be attacked by man-in-the-middle.
Salute
2. Retrieve the password and intercept the returned data packet. The verification code is contained in the returned data packet.
Take resetting the local account 13888888888 as an Example
The verification code is
610784
Change Password
Logon successful
Proof of vulnerability:
1. Target APP: yuantong express delivery android Client
Latest Version
3.2.2
It is said that the vulnerability has been fixed in ios
WooYun: yuantong express IOS client has severe design defects. You can reset any user password or be attacked by man-in-the-middle.
Salute
2. Retrieve the password and intercept the returned data packet. The verification code is contained in the returned data packet.
Take resetting the local account 13888888888 as an Example
The verification code is
610784
Change Password
Logon successful
Solution:
You are more professional ~~~