This is a follow up about our previous post. We have found a popular file management & cloud storage app “File Expert” (over 20 million installs) has leaked their AWS credential in APK file, which allows attackers to gain access of the Amazon cloud infrastructure.
Trustlook has been worked with File Expert team and the problem has already been fixed. The original leaked key is no longer valid, and the newest version has changed the implementation on accessing AWS. As the fix is on server side, it can no longer be exploited regardless of the app version.
We’ll keep update on our progress and discoveries on credential leak vulnerabilities.
Mar 30: Vulnerability discovered when scanning on Google Play
Apr 1: Notified Vendor
Apr 2: Vendor responsed, started investigation
Apr 6: Vulnerability confirmed and fixed.
Apr 10: Disclose