By: Viral Gandhi

Mobile App Wall Of Shame: Wattpad

Encryption


Wattpad

Price : Free
Category : Books & Reference
Platform : Android
Updated : Mar. 23, 2015
Version : 4.21
Size : 11.18 MB
Language : English
Vendor : Wattpad.com

Background:

Wattpad is the world's largest community for readers and writers and was established since 2006. Users are able to post articles, stories, fan fiction and poems about anything they like. The content includes work by undiscovered writers, published writers, new writers, or people just looking for somewhere to write all their ideas down. Users are able to comment and like stories or join different groups. Wattpad has released dedicated applications for Android, iPhone, Blackberry and iPad.
 
Application chart (Courtesy: Appannie, xyo.net)
 
 
Android
Global Ranking
170
Category Ranking
5 (Books & Reference)
Total number of Downloads
~42 million
Rating
4.5/5

Before using the app, a user is required to create an account in Wattpad by providing an email address and password. After creating an account they can post stories, read other user's posts, follow users and like or comment on existing content. The application also provides feature to sync Gmail, Facebook and Twitter accounts with a Wattpad account. There is also a provision to send private messages to other users from within Wattpad.
 
Vulnerability: cleartext username/password
 
Wattpad app
The current version of Wattpad for Android application has a major security issue. By analyzing the traffic during the user registration as well as the account login process, it has been observed that user credentials are being sent to the server via HTTP. Anyone who monitors the network traffic can easily get a hold of the username/password being sent to the application server and compromise the user's account. As the application permits users to buy books, an attack could also result in financial loss.
When a user tries to register for an account using the Wattpad Android application, or subsequently login, clear text user credentials as sent via an HTTP request as shown below. 
 





  Account registration:
 
[-]http://www.wattpad.com/v4/users 
Method: POST
Host: www.wattpad.com
User-Agent: Android App v4.19.17; Model: Nexus 7; Android SDK: 21; Connection: WiFi; Locale: en_US;
Request Body: type=wattpad&username=fnzscaler&password=p%40ssword123&email=vulapps%40zscaler.com&language=1&fields=token%2Cga%2Cuser%28username%2Cdescription%2Cavatar%2Cname%2Cemail%2Cverified%2Cfollower%2Cfollowing%2CbackgroundUrl%2CvotesReceived%2CnumFollowing%2CnumFollowers%2Clanguage%2Cinbox%28unread%29%2Chas_password%29
Server Response: {"token":"52708887:2129beadf9030d8725750694ec5ee4a1928dbed9891db7bfa0bc432713037a7b","user":{"username":"fnzscaler","name":"","description":"","avatar":"http:\/\/a.wattpad.com\/useravatar\/b.128.jpg","language":1,"verified":false,"votesReceived":0,"numFollowing":0,"numFollowers":0,"backgroundUrl":"","inbox":{"unread":0},"email":"vulapps@zscaler.com","has_password":true,"follower":false,"following":false},"ga":{"logged":"1","created":"20150316","group":0}}
 
Likewise, when an existing user tries to login, the username/password will be sent in cleartext.
Below is the traffic capture for a login session.
 
Login:
 
[-]http://www.wattpad.com/v4/sessions 
Method: POST
Host: www.wattpad.com
User-Agent: Android App v4.19.17; Model: Nexus 7; Android SDK: 21; Connection: WiFi; Locale: en_US;
Request Body: type=wattpad&username=fnzscaler&password=p%40ssword123&fields=token%2Cga%2Cuser%28username%2Cdescription%2Cavatar%2Cname%2Cemail%2Cverified%2Cfollower%2Cfollowing%2CbackgroundUrl%2CvotesReceived%2CnumFollowing%2CnumFollowers%2Clanguage%2Cinbox%28unread%29%2Chas_password%29
Server Response: {"token":"52708887:2129beadf9030d8725750694ec5ee4a1928dbed9891db7bfa0bc432713037a7b","user":{"username":"fnzscaler","name":"","description":"","avatar":"http:\/\/a.wattpad.com\/useravatar\/b.128.jpg","language":1,"verified":false,"votesReceived":0,"numFollowing":0,"numFollowers":0,"backgroundUrl":"","inbox":{"unread":0},"email":"vulapps@zscaler.com","has_password":true,"follower":false,"following":false},"ga":{"logged":"1","created":"20150316","group":0}}
 
ZAP Analysis:
Zap in action.
Conclusion:
 
The rapidly growing list of applications that do not implement even the most basic security checks makes it necessary for users to take care when accessing their accounts on public networks. It is also important important to avoid password reuse in multiple applications.

Credit - Lakshmi Devi.
 

Learn more about Zscaler.