-
Type:
Task
-
Resolution: Done
-
Priority:
Medium
-
Affects Version/s: None
-
FLW Sprint 37, FLW Sprint 38, FLW Sprint 39
-
FLW Mobile App
-
All
Unauthorized or unused functionalities are exposed in the application that can be triggered by an attacker.
Impact:
Exposure of internal or debugging features may lead to privilege escalation or data leakage.
| Vulnerability Name | Vulnerable URL | CVE/CWE | CVSS Score | Overall Risk (Severity) |
Observation / Description | Impact | Recommendation | Reference | Steps to reproduce |
| Application Logs | Extraneous Functionality | CWE-912 | 6.3 | Medium | It was observed that the application was logging the user’s sensitive information. | The system could be completely compromised without you knowing it. All of your data could be stolen or modified slowly over time. Recovery costs could be expensive. The technical impact from extraneous functionality includes the following: Exposure of how backend systems work Unauthorized high-privileged actions executed. |
The best way to prevent this vulnerability is to perform a manual secure code review using security champs or subject matter experts most knowledgeable with this code. They should do the following: Examine the app’s configuration settings to discover any hidden switches; Verify that all test code is not included in the final production build of the app; Examine all API endpoints accessed by the mobile app to verify that these endpoints are well documented and publicly available; Examine all log statements to ensure nothing overly descriptive about the backend is being written to the logs. |
https://owasp.org/www-project-mobile-top-10/2016-risks/m10-extraneous-functionality | Step 1: During security assessment we logged in to the app and observed the logs while using the application via logcat, it has been observed that the auth token was disclosed in the logs. |
