Android Camera App Camera360 Ultimate found to leak sensitive user data including user images
If you thought that only Android operating system is in dire straits think again. FireEye researchers have found that the popular Google Play app, Camera360 Ultimate, has been found to inadvertently leak sensitive data. According to FireEye, the vulnerability in Camera360 Ultimate’s cloud services gives malicious parties unauthorized access to users’ Camera360 Cloud accounts and photos.
Camera360 is a popular photo shooting and editing application with millions of users worldwide. It has been downloaded about 30 million times and has a 4.4 rating from 2 million users. It provides a free cloud service for storage of pictures too; to use the cloud feature, users create a cloud account that can also be accessed via the website www.cloud.camera360.com.
FireEye has found that the vulnerability lies in the Apps’s cloud services. The cloud access is protected by username and password. But when the app accesses the cloud, it leaks sensitive data, in unencrypted form, to Android system log (logcat) and network traffic.
Apps that can read logcat or capture network traffic can steal this data. Also, a malicious party present in the same Wi-Fi network as the device can steal this data by using Wi-Fi sniffing.
“Leaked data can be used to download all of the user’s images, except those in the user’s ‘secret album,’” FireEye explained in a blog. “The secret album option uses an additional password to secure important images. This particular Android app does not access these secret images and all images uploaded from the device to the cloud are by default non-secret.”
Leaked data can be used in the following ways for unauthorized access to user images:
- Creating new login session using leaked credentials. Then, fetching keys of images from the server and using them to download images
- Hijacking the login session, using a leaked token, to download images
- Using the leaked image keys to download images without authentication
Also, images within captured network traffic can be easily extracted and viewed.The App leaks permanent and non-expiring image keys, which can be used by malicious actors to download images without providing credentials or token.
The FireEye researchers also found that the App transfers images to and fro from the App to its cloud server through unencrypted network traffic, which attackers can steal using a network sniffer.
Another critical hole is that leaked email addresses and password hashes can be used to send an unauthorized login request to the server. FireEye says that the potential hackers can obtain user passwords by cracking the leaked password hash. Password hashes and leaked email addresses can be used to log in to the cloud service.
“It is crucial that Android app developers improve security to provide users with a better and more protected Android experience,” FireEye concluded.
It is not known whether FireEye has informed PinGuo, the publishers of Camera360 Ultimate about the vulnerability and the publishers/developers have patched it.
Further, Camera360 Ultimate is also available for iPhone and iPad, FireEye does not mention whether the iOs users are as vulnerable as Android owners in its vulnerability report. It can be assumed that iOS App also uses the same token and traffic system as Android, therefore it is equally vulnerable to this exploit.