Phishing user to download malicious app could lead to leakage of User Access Token, Email, Name and Profile photo via exported RemoteService
State Resolved (Closed)
Disclosed publicly 2018-09-11T04:57:13.286Z
Reported To
Weakness Information Disclosure
Bounty $300
Collapse
Summary by shivasurya

One of the service components in the Zomato Android app was open to bind a service connection ( AIDL ) So, if an attacker would have phished a user to download a malicious app, it could have lead to leakage of access token of the user that leads to account takeover.

Zomato acted promptly to fix the issue and rolled out the update.

Summary by shivasurya

Thanks @shivasurya for helping us keep @zomato secure :)

Timeline
submitted a report to Zomato .
2018-07-19T17:54:38.347Z

Regards,
Frans

  • 0 attachments:
shivasurya Activities::Comment
2018-07-19T17:58:11.676Z


prateek_0490-zomato Activities::BugTriaged
2018-07-20T04:37:05.242Z


prateek_0490-zomato Activities::ReportSeverityUpdated
2018-07-20T04:37:16.453Z


shivasurya Activities::Comment
2018-07-20T05:10:06.285Z


prateek_0490-zomato Activities::Comment
2018-07-20T05:15:56.333Z


shivasurya Activities::Comment
2018-07-20T05:18:20.793Z


prateek_0490-zomato Activities::Comment
2018-07-20T05:21:30.053Z


shivasurya Activities::Comment
2018-07-20T05:25:11.211Z


prateek_0490-zomato Activities::BugResolved
2018-08-01T03:58:13.740Z


shivasurya Activities::Comment
2018-08-01T05:35:35.330Z


shivasurya Activities::AgreedOnGoingPublic
2018-08-01T05:35:52.621Z


Activities::BountyAwarded
2018-08-01T05:37:27.346Z


prateek_0490-zomato Activities::Comment
2018-08-01T05:39:40.241Z


shivasurya Activities::Comment
2018-08-01T10:23:27.474Z


shivasurya Activities::Comment
2018-08-06T11:28:14.594Z


shivasurya Activities::Comment
2018-09-05T18:11:20.182Z


prateek_0490-zomato Activities::Comment
2018-09-05T18:13:28.166Z


shivasurya Activities::Comment
2018-09-05T18:20:26.562Z


shivasurya Activities::Comment
2018-09-06T13:25:24.934Z


prateek_0490-zomato Activities::Comment
2018-09-06T13:29:18.434Z


prateek_0490-zomato Activities::ReportTitleUpdated
2018-09-06T13:41:38.172Z


shivasurya Activities::Comment
2018-09-06T15:05:17.930Z


shivasurya Activities::Comment
2018-09-07T16:48:16.393Z


prateek_0490-zomato Activities::Comment
2018-09-08T15:15:20.690Z


prateek_0490-zomato Activities::AgreedOnGoingPublic
2018-09-11T04:57:13.170Z


prateek_0490-zomato Activities::ReportBecamePublic
2018-09-11T04:57:13.715Z