MSN World application for Android (version 1.4.2) stores sensitive information in cleartext within the SQLite database.
CVE number: Not Assigned
Vendor homepage: http://www.microsoft.com/
Vendor notified: 12/13/2012
Vendor fixed: 1/30/2013
Credit: Christopher Emerson of White Oak Security
Confirmed in MSN World application for Android (version 1.4.2). Other versions may also be affected.
When a user successfully signs into the application, the user’s username and password are stored in cleartext within the webview.db > password table.
A user’s username and password could be accessed by any other application with permissions to read that table. An attacker could use those credentials to impersonate the user and potentially access the valid user’s content and purchase additional content with any saved payment devices.
The impact could be much greater if the user’s account is tied to other Microsoft services such as Skype, web mail, etc…
Furthermore, the cleartext credentials will be stored on the user’s mobile phone which makes them more easily accessible to an attacker with access to the device. This significantly lowers the difficulty of exploitation.
The vendor has release an application update which removes the users password from webview.db.
December 13, 2012: Disclosed to vendor (Microsoft Security Response Center).
January 4, 2013: Vendor’s initial response.
April 4, 2013: Vendor stated a fix was implemented 1/30/2013.
April 4, 2013: Disclosed vulnerability publicly.