CVE-2019-17398

Vulnerability

The official Dark Horse Comics Android application version 1.3.21 (and possibly earlier versions) logs a user token during authentication. This token is a Base64-encoded string of the username and password concatenated with a colon. The log message is generated by DarkHorse.DungeonHTTPClient and can be viewed via adb logcat by filtering for request with token [1]. The vulnerability was reported by Rice Computer Security Lab and affects the app distributed on Google Play with over one million installs [1].

Exploitation

An attacker with physical access to the device or the ability to run adb logcat (e.g., via a malicious app on Android versions prior to Jelly Bean, where no permission is required to read logs) can capture the token. The exploit steps are: (1) open the Dark Horse Comics login UI, (2) enter any credentials, (3) run adb logcat | grep 'request with token' to capture the Base64 string, and (4) decode the Base64 string to reveal the username and password in plaintext [1].

Impact

Successful exploitation allows an attacker to obtain the user's username and password for the Dark Horse Comics service. With these credentials, the attacker can log in as the victim and access their account and any associated content or personal information [1]. The exposure is limited to local access or apps that can read Logcat output.

Mitigation

The vendor (Dark Horse Comics) released a fix shortly after being notified, resolving the issue in a newer version of the application [1]. Users should update the Dark Horse Comics app from the Google Play Store to the latest version. No other workarounds are documented in the supplied references.