Security experts have revealed two vulnerabilities they found in a popular social app which could enable account takeover (ATO) or customer data loss.
The now-patched issues were given a medium CVSS rating. They appear in Zenly, a smartphone app that allows users to see where friends and family are on a map.
The first bug exposes users’ phone numbers and could therefore be used to craft believable vishing attacks, according to researchers at Checkmarx.
“When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not. To obtain this information, a malicious actor only needs to know their username,” they explained.
“While obtaining a username could be a difficult task by itself, it is made easier by the fact Zenly also exposes an exhaustive list of friends of a user. This means that, for obtaining the phone number of a user, a malicious actor does not need to know their username at the start, but is able to follow a chain of friends until one of them has the victim in their friends list.”
Checkmarx warned that the bug could be exploited to target CEOs or senior decision makers in organizations who may be using the app, via other users in the organization.
The second ATO vulnerability stems from the way the Zenly API handles session authentication.
It typically calls a “/SessionCreate” endpoint with the phone number of the user, which then creates a session token, and sends an SMS verification code to the user. It then calls the “/SessionVerify” endpoint with both the session token and the verification code received by SMS, in order to log the user in.
“An attacker can take over a user account by abusing the /SessionCreate endpoint, which will consistently return the same session token (although not yet valid) for the same user. Once the legitimate user validates the SMS code for that session token, the session will become valid for both the legitimate user and the attacker,” Checkmarx explained.
“The main point of this issue is that the attacker needs to obtain a session token before the legitimate user calls the /SessionVerify endpoint. This can be done either before or after the legitimate user calls the /SessionCreate endpoint.”
However, this isn’t necessarily simple to achieve, hence the CVSS score of 4.7. It would require the attacker to know the victim’s mobile and have knowledge of when the victim will login, sign up, register a new device or go through the authentication flow for other reasons.
Checkmarx thanked Zenly for its professionalism, cooperation and prompt ownership in working to fix the issues.