CVE-2019-11384

Vulnerability

The Zalora application version 6.15.1 for Android stores user credentials (email and password) in plain text in the file /data/data/com.zalora.android/shared_prefs/login_data.xml. This file is part of the app's shared preferences and is readable by any process with the same user ID or via an ADB backup. The stored data is in JSON format within an XML string, with the password and email clearly visible [1].

Exploitation

An attacker with physical access to the device or the ability to execute ADB commands (non-root user) can extract the credentials. The steps involve backing up the app data using adb backup -f ~/zalora.ab -noapk com.zalora.android, converting the backup to a tar file using abe.jar, extracting the tar, and then reading the login_data.xml file. No root privileges are required; the attacker only needs USB debugging enabled or the ability to trigger a backup [1].

Impact

A successful exploit allows the attacker to retrieve the victim's plain-text password and email. With these credentials, the attacker can log into the Zalora application and potentially access the victim's account, including personal details, order history, and payment information. This compromises user confidentiality and can lead to account takeover [1].

Mitigation

At the time of publication (April 2019), no official fix had been released for version 6.15.1. Users should avoid storing credentials on device if possible, enable device encryption, and revoke ADB access for untrusted connections. The vendor should update the app to use secure storage mechanisms such as Android's EncryptedSharedPreferences or the KeyStore system [1].