A few weeks back I watched InsiderPHD’s video on mobile bug bounty hunting and decided to check it out.
The app of choice was the app my girls kindergarten uses. I know it’s a grey area since it’s not in a bounty program but my reasoning is, this is little children we are talking about so it has to be secure. In the app parents can send messages to the childrens teachers and vice versa. The teachers can post pictures on the childrens work and so forth, lot’s of stuff. I actually really like this app.
So I got to work on it.
I have a rooted android phone, set up my Burp Suite. After quite some hazzle figured out how to put Burp Suite’s ssl cert as a trusted system wide cert on the phone. Searched around for proxy toggling apps on the phone, proxydroid was flagged as malware so just in case I uninstalled it. But I found an open source app, ProxyToggle. After a huga amount of trouble got adb working, I am still unsure whether frida works or not.
Anway, I proxied the phone, fired up the app, logged in and got some json info from the app. I saw an interesting field, student id… I changed it… Nothing no student. Fair enough, the id seemed to be generated and not just incremented with each new child enrolled in a kindergarten. But just for good measure, I changed it more. Third try I got a hit. I managed to get info I shouldn’t get on a child living in a different part of the country. This was what I was looking for, a bug, an IDOR.
This was late at night, my wife was asleep so I had noone to talk to about this. Adrenaline flowing I had a bit of trouble going to sleep. I asked around for help on writing a report on this bug but noone seemed to notice. A few days went by and I hadn’t even started to write the report. I was ctually hesitant on reporting this, why? Because another father had found a similar bug in a webapp made by the same company and had gotten in some trouble over it.
Well, quite some time later I decided to check again and see if I could get pictures I shouldn’t and THAT would definatly get reported. I put in the childs ID, “Unauthorized”. They seemed to have fixed the bug. I had mixed feelings. Did they spot my prodding and fixed it due to that? If so, good on them, good security measures. I however would not get recognized for finding the bug, but how would they have tackled it if I had reported it?
In the end I am excited to have found it and feel good about the bug getting fixed. My daughters info and images are a bit safer.
Stay curious, stay safe.
