eBay for Android Content Provider Information Disclosure Vulnerability

Sebastian Guerrero, a security researcher from viaForensics has disclosed an interesting vulnerability on the eBay Android app prior to 2.4.1 (detailed paper: https://viaforensics.com/mobile-security/ebay-android-content-provider-injection-vulnerability.html), which allows 3rd party apps to retrieve or even modify the sensitive information stored in eBay app, without asking for any permission.

The cause of this vulnerability is simple: the developer put some local data such as search history, purchase list into the app’s Content Provider, which has no restriction on reading or writing.

The Content Provider is a feature for cross-app data sharing. On the Android, there is no storage region that is accessible to all apps by default, thus the Content Provider is the best way to share structured data among apps. Every app can create its own content provider, and access others’.

The content provider is identified by URI (Uniform Resource Identifier), forms like: content://com.ebay.mobile.providers.itemcacheprovider/saved_search, organized like a database. In this case, saved_search is the table name. To query this table, we can direct use content://com.ebay.mobile.providers.itemcacheprovider/saved_search/50 to access the #50 record in table. Or use the ContentResolver.query() method supported by Android to commit the CRUD (create, read, update and delate) operations.

Android also integrated calendar and contact into the content provider, allowing developer access. However, corresponding permissions will be required.

Due to the nature of Content Provider, anyone can access it by default – neither using a third-party app or the ADB (Android Debugging Bridge) console. It is not wise to put any sensitive or permission-needed information in it.

There are overall 6 vulnerable tables in EBay’s content provider:

content://com.ebay.mobile.providers.itemcacheprovider/event
content://com.ebay.mobile.providers.itemcacheprovider/item
content://com.ebay.mobile.providers.itemcacheprovider/list
content://com.ebay.mobile.providers.itemcacheprovider/local_notifications
content://com.ebay.mobile.providers.itemcacheprovider/name_value
content://com.ebay.mobile.providers.itemcacheprovider/saved_search

 

The information is encoded with JSON. Here is the decoded contents:
Untitled2

 

To fix this vulnerability, just add “readPermission” and “writePermission” into the AndroidManifest file, which is failed to add in the original manifest file:

Screen Shot 2013-10-23 at 10.40.42 PM

 

One lesson can be learned from this case: content provider is not a private storage, set proper permission before you add sensitive information into it!

TrustLook on CBNWeekly

CBNWeekly, a well-known business news magazine in China, introduced TrustLook’s start-up story in their cover headline article. (Link: http://storeweb.cbnweek.com/v/article?id=5875)

4e6a572ejw1e9h9z1rra0j21kw1zs4qp

 

This article is about the choice on investors for the Silicon Valley entrepreneurs, the path of TrustLook seeking their series A funding has been cited as an example:

 

Before Allan Zhang decided to quit job and work full-time for his TrustLook, Lane Bess, the CEO of Palo Alto Networks had a dinner with him. On the next day, Lane offered him a $100,000 check.

 

The most surprising investor appeared one week before TrustLook launches its product, which was in Jly 2013. Allan had a special visitor at his office in San Jose – Zhou, Hongyi, founder & CEO of QiHoo 360 (NYSE: QIHU). And he came for investing TrustLook. At the same day, they completed all the negotiations: QiHoo wants to take 25% equity regardless of the valuation. No extra clause added. The benefits outside the investment contract is, QiHoo could give great support to this Silicon-Valley based start-up entering the Chinese security market.

 

Although the offer is attractive to the TrustLook team, they have not reached the conclusion of accepting the investment from QiHoo. One reason is that funding is not the greatest concern for him – in the first week he launched TrustLook, he already secured the seed funding of $1.4 million.

 

“The cost is less than ever to establish a start-up. Money is no longer the problem. The most important thing is, you should know what kind of support you need.” Allan Zhang said to CBNWeekly.

 

Besides QiHoo, Tencent, Baidu and Shengda have all entered in Silicon Valley to seek their investment target, struggling to attract entrepreneurs like Allan Zhang. And the problem for early stage start-up has become “whose money is more valuable”, instead of “who is willing to invest”.