UFC on Xbox LIVE for Android - Cleartext Storage of Sensitive Information

Summary
=======
The UFC on Xbox LIVE application for Android (version 1.0) stores sensitive information in cleartext within the SQLite database.

CVE number: Not Assigned
Impact: Medium
Vendor homepage: http://www.microsoft.com/
Vendor notified: 12/13/2012
Vendor fixed: N/A - Vendor Removed Application from Android Store
Credit: Christopher Emerson of White Oak Security 
(http://www.whiteoaksecurity.com/)

Affected Products
=================
Confirmed in UFC on Xbox LIVE application for Android (version 1.0). Other versions may also be affected.

Details
=======
When a user successfully signs into the application, the user's username and password are stored in cleartext within the webview.db > password table.

Impact
======
A user’s username and password could be accessed by any other application with permissions to read that table.  An attacker could use those credentials to impersonate the user and potentially access the valid user’s content and purchase additional content with any saved payment devices.

The impact could be much greater if the user’s account is tied to other Microsoft services such as Skype, web mail, etc...

Furthermore, the cleartext credentials will be stored on the user’s mobile phone which makes them more easily accessible to an attacker with access to the device.  This significantly lowers the difficulty of exploitation.

Solution
========
The vendor has chosen to discontinue support for this application.  As a result of this security issue, the application is to be removed from the Google Play Store.  

Existing customers will get a notification in their app that their app will no longer be supported.

Disclosure Timeline
==============
December 13, 2012: Disclosed to vendor (Microsoft Security Response Center).
January 4, 2013: Vendor’s initial response.
August 29 2013: Vendor stated application will no longer be supported and will be removed from app store.
August 30, 2013: Disclosed vulnerability publicly.

 

Christopher Emerson