Applock is an android application used to add lock screen to gallery and other applications. This app has a vulnerability in the web backend allowing an attacker to reset anyone's password with MITM attack.
Applock is a one of the most common Application Lock utility for android devices that allows anyone to Lock Applications in their android device. If you lock an Application with AppLock, when ever you Launch or resume that Application, AppLock will set a password screen before you. The vulnerability lies in AppLock’s Forgot Password feature.
REQUEST
POST /servlet/applock HTTP/1.1
Content-Length: 139
Content-Type: application/x-www-form-urlencoded
Host: applock.domobile.com
Connection: Keep-Alive
action=domo_user_reset&app_package=com.domobile.applock&version_code=2015061101&imei=000000000000000&
email=xyz%40gmail.com&code_md5=
RESPONSE
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-cache
Vary: Accept-Encoding
Date: Tue, 28 Jul 2015 14:49:07 GMT
Server: Google Frontend
Alternate-Protocol: 80:quic,p=0
Accept-Ranges: none
Content-Length: 59
{"done":"1","code_md5":"CD18E6BDA8990DDAF6ADD006C6EC64E0"}
The user can put the reset code received through email into the Forgot Password option to reset the password. AppLock will generate the MD5 of the reset code received form user and compare it with the previously received MD5 in the HTTP response and if they matches then the user is allowed to set a new AppLock Password.
The vulnerability exist in the logical flow that AppLock's server does not validate the email parameter against a user. Attacker can do an MITM and tamper the email parameter with an email that he controls and steal the rest code. The fact that the communication is over HTTP makes MITM very easy and practical. To simulate the attack, I fired up a proxy that will tamper the email parameter on the fly whenever a request is made to http://applock.domobile.com/servlet/applockAjin Abraham is a Security Engineer with 7+ years of experience in Application Security including 4 years of Security Research. He is passionate on developing new and unique security tools. Some of his contributions to Hacker's arsenal include OWASP Xenotix XSS Exploit Framework, Mobile Security Framework (MobSF), Droid Application Fuzz Framework (DAFF), Xenotix xBOT, NodeJsScan etc to name a few. He has been invited to speak at multiple security conferences including ClubHack, Nullcon, OWASP AppSec Eu, OWASP AppSec AsiaPac, BlackHat Europe, Hackmiami, Confidence, BlackHat US, BlackHat Asia, ToorCon, Ground Zero Summit, Hack In Paris, Hack In the Box, c0c0n and PHDays.