Severe vulnerabilities in the Zenly app risked users’ privacy as the app exposed phone numbers and allowed account takeovers. In the worst-case the bugs would lead to a massive wave of phishing attacks.
Zenly App Vulnerabilities Risking Users
As elaborated in a blog post, Checkmarx Security Research Team found a serious security vulnerability while investigating the Zenly app.
Briefly, Zenly is an interactive social app that lets users connect with their contacts via a live map. This geolocation feature also makes the app helpful for different user groups, such as travelers, ride-sharing services drivers, emergency service workers (such as firefighters), and more.
Specifically, the Checkmarx team found two different vulnerabilities in the app that threatened users’ security.
1. Exposed Phone Numbers
According to researchers, the app could allow anyone to retrieve a target user’s phone number merely via username. The attacker can know the target’s phone number merely by sending a friend request. The app would expose the phone number right away, even if the target user doesn’t accept the request.
It wasn’t difficult for an attacker to find a user’s username. Explaining the possibilities through which this could happen, the researchers stated,
For obtaining the phone number of a user, a malicious actor does not need to know their username at the start, but is able to follow a chain of friends until one of them has the victim in their friends list.
This privacy breach not only risked an individual’s privacy but could compromise the security of an entire business team.
Describing an exploit situation as an example, the researchers stated that an adversary could target any random employee of a firm by searching for the victim’s Zenly username or luring the target into sharing one. Once obtained, the attacker could then browse through the target’s Zenly contacts to find the CEO’s contact. Then, retrieving the CEO’s phone number could let the attacker wage spearphishing attacks.
2. Account Takeover
The other vulnerability in the app would allow an attacker to take over a target account by hijacking session token. Explaining the vulnerability, the post reads,
An attacker can take over a user account by abusing the /SessionCreate endpoint, which will consistently return the same session token (although not yet valid) for the same user. Once the legitimate user validates the SMS code for that session token, the session will become valid for both the legitimate user and the attacker.
The… attacker needs to obtain a session token before the legitimate user calls the /SessionVerify endpoint. This can be done either before or after the legitimate user calls the /SessionCreate endpoint.
Zenly Patched The Vulnerabilities
Following this discovery, the researchers contacted the Zenly team to share the bug reports. (The researchers have also shared the PoC exploits in their post.)
In response, the vendors quickly addressed the bugs and released patches with the subsequent app updates.
Hence, all users should now merely ensure updating the app to the latest version to receive the patches.