CVE-2019-17396

Vulnerability

PowerSchool Mobile version 1.1.8 for Android logs the username and password in plaintext within the authentication request XML, which is written to the system log (logcat). This occurs during the login process when the app sends a SOAP request to the server. The log entry contains the full request XML, including ` and ` elements with the user's credentials.[1]

Exploitation

An attacker with access to the device's logcat output can retrieve the credentials. On Android versions prior to Jelly Bean (API level 16), any installed app can read logcat without special permissions. On later versions, the attacker would need either physical access to the device, a compromised app with READ_LOGS permission (deprecated but still effective on some devices), or the ability to run adb logcat via USB debugging. The attacker can filter for 'password' in logcat output to locate the credentials.[1]

Impact

Successful exploitation allows the attacker to obtain the victim's PowerSchool username and password. This can lead to unauthorized access to the PowerSchool portal, potentially exposing sensitive student and school information depending on the user's privileges.

Mitigation

The vendor was notified and stated a fix would be released soon. As of the publication date (2019-10-15), no patched version was available. Users should avoid using the app on untrusted devices or with USB debugging enabled, and logcat output should be monitored for exposure. The app may have been updated since; checking the current version on the Google Play Store is recommended.[1]