Camera360 is a popular photo shooting and editing application with millions of users worldwide. It has been downloaded about 30 million times and has a 4.4 rating from 2 million users. It provides a free cloud service for storage of pictures too; to use the cloud feature, users create a cloud account that can also be accessed via the website www.cloud.camera360.com.
FireEye has found that the vulnerability lies in the Apps’s cloud services. The cloud access is protected by username and password. But when the app accesses the cloud, it leaks sensitive data, in unencrypted form, to Android system log (logcat) and network traffic. Apps that can read logcat or capture network traffic can steal this data. Also, a malicious party present in the same Wi-Fi network as the device can steal this data by using Wi-Fi sniffing. Leaked data can be used in the following ways for unauthorized access to user images:
Creating new login session using leaked credentials. Then, fetching keys of images from the server and using them to download images Hijacking the login session, using a leaked token, to download images Using the leaked image keys to download images without authentication
Also, images within captured network traffic can be easily extracted and viewed.The App leaks permanent and non-expiring image keys, which can be used by malicious actors to download images without providing credentials or token. The FireEye researchers also found that the App transfers images to and fro from the App to its cloud server through unencrypted network traffic, which attackers can steal using a network sniffer. Another critical hole is that leaked email addresses and password hashes can be used to send an unauthorized login request to the server. FireEye says that the potential hackers can obtain user passwords by cracking the leaked password hash. Password hashes and leaked email addresses can be used to log in to the cloud service. It is not known whether FireEye has informed PinGuo, the publishers of Camera360 Ultimate about the vulnerability and the publishers/developers have patched it. Further, Camera360 Ultimate is also available for iPhone and iPad, FireEye does not mention whether the iOs users are as vulnerable as Android owners in its vulnerability report. It can be assumed that iOS App also uses the same token and traffic system as Android, therefore it is equally vulnerable to this exploit.