File Expert App AWS Credential Leak

Screen Shot 2014-04-10 at 5.02.47 PM

 

This is a follow up about our previous post. We have found a popular file management & cloud storage app “File Expert” (over 20 million installs) has leaked their AWS credential in APK file, which allows attackers to gain access of the Amazon cloud infrastructure.

Screen Shot 2014-03-29 at 11.21.21 AM

Trustlook has been worked with File Expert team and the problem has already been fixed. The original leaked key is no longer valid, and the newest version has changed the implementation on accessing AWS. As the fix is on server side, it can no longer be exploited regardless of the app version.

We’ll keep update on our progress and discoveries on credential leak vulnerabilities.

—————

Mar 30: Vulnerability discovered when scanning on Google Play
Apr 1: Notified Vendor
Apr 2: Vendor responsed, started investigation
Apr 6: Vulnerability confirmed and fixed.
Apr 10: Disclose

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s