Mobile Rediff suffers from a username and password disclosure vulnerability.
5ae381e30bdf914bd1f330628663502555fd19e691346335b2ccaae5a0726a7d
Advisory Title: Mobile Rediff Username and Password Disclosure
Advisory ID: FSSA-2009-0402
Author: Gursev Kalra (gursev.kalra@foundstone.com)
Application: MobileRediff 1.04 by http://www.rediff.com/
Vendor Contact Date: 4/24/2009 (Vendor notified by email)
Release Date: 7/15/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Medium (Information Disclosure)
Vendor Status: No Response received
Overview:
Rediffmail component of MobileRediff (Version 1.04) application allows username and password disclosure.
Details:
RediffMail component of MobileRediff (Version 1.04) application has a Remember Me function. When a user selects this option, the mobile application writes users username and password to phone storage in clear text without encryption. If the phone is lost, stolen or when any other person is able to access the file system on the phone, the stored username and password can be compromised.
Vendor Response:
No Response
Workaround:
Do not enable store username and password option on the Rediffmail component of Mobile Rediff application.
For questions and comments please send an email to:
research@foundstone.com
Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories