exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

mChek 3.4 Information Disclosure

mChek 3.4 Information Disclosure
Posted Jul 21, 2009
Authored by Gursev Kalra

mChek version 3.4 suffers from multiple information disclosure vulnerabilities.

tags | advisory, vulnerability, info disclosure
SHA-256 | 4b697710e11bd18ff568127838244f0c6f55b49f63b49517d2f97159eb399a80

mChek 3.4 Information Disclosure

Change Mirror Download
Advisory Title: mChek 3.4 Information Disclosure
Advisory ID: FSSA-2009-0401
Author: Gursev Kalra (gursev.kalra@foundstone.com)
Vendor Contact Date: 4/21/2009 (Vendor notified by email)
Release Date: 07/21/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low (Information Disclosure)
Vendor Status: Version 3.8 fixes this problem

Overview: mChek application stores Credit/Debit Card numbers and bank name without protection

Application: mChek 3.4 by http://www.mchek.com/
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low

Details:
mChek is an E-commerce application which allows users to store multiple credit/debit cards in the phone and use them when required. mChek (Version 3.4) application stores multiple Credit Card numbers and corresponding bank account information to phone storage without protection. It also provides a feature to Link Bank Accounts to this application. mChek application writes all this information to a file on the phone file system. Upon inspection, it was observed that credit card number and corresponding bank name was written in cleartext to mobile phone storage. It was also observed that after a credit card is deleted from mCheck’s user interface, the credit card number continues to exist in the phone file system. If the phone is lost/stolen or any other phone user is able to read phone’s file system, the stored credit/debit card numbers and Bank name can be compromised.

Vendor Response:
mChek Version 3.4 is an older version of the product. The current version is 3.8. In this version, cardnumber, bankname and phonenumber are not stored in clear text and using encrypted storage. When the credit card information is deleted by the user, it’s deleted from the application DB as well but the behavior is not same in all phone make and models. We are providing enough protection to the sensitive data stored and the security is not dependent on the user ability to read the file system of the phone.
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.

Recommendation:
Upgrade to version 3.8 or above.

For questions and comments please send an email to:
research@foundstone.com

Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close