Insecure management of login credentials in PicsArt Photo Studio for Android

1. Advisory Information

Title: Insecure management of login credentials in PicsArt Photo Studio for Android
Advisory ID: STIC-2014-0426
Advisory URL: http://www.fundacionsadosky.org.ar/publicaciones-2
Date published: 2014-11-06
Date of last update: 2014-11-06
Vendors contacted: PicsArt
Release mode: Unilateral release

2. Vulnerability Information

Class: Improper Certificate Validation [CWE-295], Insufficiently Protected Credentials [CWE-522]
Impact: Data loss
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Identifier: CVE-2014-5674, CVE-2014-NOCVE

3. Vulnerability Description

PicsArt Photo Studio is a free and full featured photo-editing and drawing mobile app available on Android, iOS and Windows Phone. As of October, 2014 the Android version of the app had between 100 and 500 million downloads from the Google Play store. According to the vendor the app has been installed more than 175 million times, has a 7 million monthly growth and more than 45 million monthly active users[1]. Users can take, edit, publish and share photos on the PicsArt website and on popular social networks such as Facebook, Twitter and Google+ directly from the mobile app.

Originally the PicsArt application for Android[2] did not use HTTPS to send security-sensitve information to the servers, allowing attackers to hijack PicsArt user accounts simply by capturing network traffic. After our original report to the vendor in May 2014, the app started using HTTPS but it does not validate the server's SSL certificate, allowing an attacker to perform Man-In-The-Middle attacks. PicsArt user accounts can still be hijacked by capturing the user id sent as value of the key parameter in certain HTTPS GET requests.

Additionally, a user can sign up to PicsArt using her Facebook, Twitter or Google+ account or using a standard email and password scheme. When the user signs up using a third party social network account, the user ID and access token obtained from those social networks are sent to the PicsArt servers to identify the user during the login phase.

This implies that the PicsArt servers, not just the PicsArt Photo Studio application running on thte user's device, can impersonate the user on the social networks. However the PicsArt server API does not verify if the user's Google+, Facebook or Twitter access token is valid during the login of the Android application. As a result, an attacker can send a login request providing only a social network ID to obtain the PicsArt's credentials associated to that Google+/Facebook/Twitter user. This allows the attacker to obtain access to any user account created from a social network account. The attacker can also steal access tokens of PicsArt users to third party social networks such as Facebook, Twitter, Google+, etc. This issue affects all PicsArt user's who access their account via Google+/Facebook/Twitter.

4. Vulnerable packages

5. Vendor Information, Solutions and Workarounds

After the initial report to the vendor, PicsArt released version 4.2.2. This version started using HTTPS for most, but not all, of the server API. Since 4.6.3 there are no API methods that leak the user's session key using HTTP. Adding HTTPS communication to the server in 4.2.2 didn't help fixing the problem since the application lacks of certificate validation allowing Man-in-the-Middle attacks. Despite several notifications sent to PicsArt, the last version (4.6.12, as of publication of this advisory) is still missing proper certificate validation checks.

The server API is still missing the validation of the login access token.

A workaround to prevent attackers from compromising a PicsArt user's Facebook, Twitter or Google+ account is to disable the PicsArt application access to their profile. From Facebook or Twitter go to "Settings|App" and remove PicsArt application from the list of apps. For Google+ go to "Account|Security|Apps and websites" and click on revoke access on PicsArt application.

PicsArt users concerned about their privacy or the security of their account should stop using the Andorid application until patches with proper SSL certificate validation are issued by the vendor nad the Server APIs fixed.

6. Credits

This vulnerability was discovered and researched by Joaquín Manuel Rinaudo. The publication of this advisory was coordinated by Programa de Seguridad en TIC. Will Dormann of CERT/CC independently discovered the SSL certificate validation vulnerability using the CERT Tapioca tool.[5]

7. Technical Description

A user can sign up to PicsArt using her Facebook[3], Twitter[4] or Google+ account or using a standard email and password scheme. When a user signs using a social network, the PicsArt application uses the OAuth protocol to communicate with that site. If the user authorizes it, the PicSart application is provided with an access token from either Facebook, Twitter or Google+ that can be used to retrieve personal information or perform actions on behalf of that user.

The application then uploads the access token to the PicsArt servers along with the ID of that user so that the server can create a new account associated to the user. Up to PicsArt version 4.2.2, this communication was done entirely over HTTP. An attacker capturing the request to http://api.picsart.com/users/signin.json could retrieve the access token of Facebook, Twittter and Google+ as well as hijack the session token of PicsArt for that user. After our report to PicsArt, use of HTTPS was introduced by the vendor in version 4.6.3 in an attempt to prevent man-in-the-middle attacks as well as session hijacking. Unfortunately, adoption of HTTPS did not fix the problems.

In version of the PicsArt Photo Studio app that use HTTPS, the socket object used to perform the secure connection uses a custom X509TrustManager. The TrustManager's task is to check the certificate presented by the server in order to prevent Man-in-the-Middle attacks. The class com.socialin.android.util.w sets the default SSLsocketFactory used in the application to an empty TrustManager and the default HostnameVerifier to a dummy one. Because of that, any certificate presented by the server will be considered valid. This allows an attacker to mount a MITM attack intercepting traffic, creating fake X509 certificates on the fly and submitting them to PicsArt's Android application.

Moreover, up to version 4.6.3 some requests performed by the application were still obtained using HTTP. For example, when a user opens the application, a request over HTTP to https://api.picsart.com/users/show/me.json to obtain user information. Since requests that contains the user key as a parameter like this are being sent to the server, session hijacking is possible by simply capturing traffic. This was fixed in the version 4.6.3.

Additional problems were found by inspecting how the PicsArt Photo Studio app uses the server API. When a user logs in with a social network account using the Android appliction, a HTTP POST request containing the user's access token and other information such as his name, user name, mail and a user identifier for the social network is sent to the PicsArt servers. The server API doesn't verify whether the access token provided is valid for an already created account and responds with the user key associated to the provided social network ID. This allows an attacker to obtain access to other user's PicsArt account by just knowing their user name on third party social networks.

An attacker can also obtain the user's access tokens to third party social networks linked to their profile by requesting the user's profile information using the key provided in the previosuly described step. For example, if a user's has her Twitter account linked to her PicsArt account, the server's response to the profile information will contain the user's OAUTH_TOKEN and OAUTH_TOKEN_SECRET for Twitter. Since the Android's PicsArt application contains the APP_KEY and APP_SECRET embedded in the client code, an attacker has all the information needed to impersonate the client app and obtain access to a user's Twitter. Since the application has read and write permissions in that social network, an attacker could perform status updates. similar attacks are possible on other social networks such as Facebook and Google+.

A sample proof-of-concept script to demonstrates that knowing only a PicsArt user's Twitter ID, it is possible to retrieve that user's key from the PicsArt server API, use it get the user's access token for Twitter and then tweet with her/his account is shown below:

[+ full code]

8. Report Timeline

9. References

[1] About PicsArt. http://picsart.com/about
[2] PicsArt Photo Studio. https://play.google.com/store/apps/details?id=com.picsart.studio
[3] Facebook Login for Android. https://developers.facebook.com/docs/android/login-with-facebook/v2.2
[4] Sign in with Twitter. https://dev.twitter.com/web/sign-in
[5] Vulnerability Note VU#582497. Multiple Android applications fail to properly validate SSL certificates. http://www.kb.cert.org/vuls/id/582497
[6] Java HTTP Request Library. https://github.com/kevinsawicki/http-request

10. About Fundación Dr. Manuel Sadosky

The Dr. Manuel Sadosky Foundation is a mixed (public / private) institution whose goal is to promote stronger and closer interaction between industry and the scientific-technological system in all aspects related to Information and Communications Technology (ICT). The Foundation was formally created by a Presidential Decree in 2009. Its Chairman is the Minister of Science, Technology, and Productive Innovation of Argentina; and the Vice-chairmen are the chairmen of the country’s most important ICT chambers: The Software and Computer Services Chamber (CESSI) and the Argentine Computing and Telecommunications Chamber (CICOMRA). For more information visit: http://www.fundacionsadosky.org.ar

11. Copyright Notice

The contents of this advisory are copyright (c) 2014 Fundación Sadosky and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 4.0 License: http://creativecommons.org/licenses/by-nc-sa/4.0/