exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Shazam Android Unencrypted Third Party Analytics

Shazam Android Unencrypted Third Party Analytics
Posted Apr 10, 2018
Authored by David Coomber | Site info-sec.ca

Shazam on Android versions 8.3.1-180206 and below disclose potentially sensitive information to third party analytics.

tags | advisory, info disclosure
SHA-256 | 7aaf8adbd9808cffa95f5a4202d80e89e9007773eb5a1b5f9c776ba84c92fe36

Shazam Android Unencrypted Third Party Analytics

Change Mirror Download
Shazam Android Application - Unencrypted Third Party Analytics

Overview

"Shazam is one of the worldas most popular apps, used by hundreds of millions of people each month to instantly identify music thatas playing and see what others are discovering. All for free."

(https://play.google.com/store/apps/details?id=com.shazam.android)

Issue

The Shazam Android application (version 8.3.1-180206 and below) sends potentially sensitive information such as mobile carrier, install date and time, number of app launches, device model, Android version and screen resolution, unencrypted to a third party site (ScorecardResearch).

Impact

An attacker who can monitor network traffic could capture potentially sensitive information about the user's usage of the app and Android device without their knowledge.

Timeline

December 16, 2017 - Notified Shazam via security@shazam.com
January 9, 2018 - Provided the details to Apple via product-security@apple.com
January 12, 2018 - Apple asked for additional information
January 17, 2018 - Apple provided the details to the Shazam security team
February 7, 2018 - Asked Apple if they were able to confirm the issue
February 12, 2018 - Apple advised that the Shazam security team had taken over the investigation
February 12, 2018 - Thanked Apple for coordinating with the Shazam security team
February 14, 2018 - Shazam provided information about their privacy policy and how they collect analytics
February 14, 2018 - Provided additional information to Shazam about how analytics information is sent unencrypted
March 5, 2018 - Shazam provided an update on their plan to address the issue
March 19, 2018 - Shazam advised that version 8.4.1-180315 is available which sends analytics data to ScorecardResearch over an encrypted connection
April 9, 2018 - Published an advisory to document the issue

Solution

Upgrade to version 8.4.1-180315 or later


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close