CVE-2024-6294

Vulnerability

Overview

The udn News Android application, prior to version 4.20.1, stores the user session token in the Android logcat log file whenever a user logs into the app [1][2]. This occurs because the application writes sensitive authentication data to system logs without proper sanitization or access controls. The root cause is a failure to treat the session token as sensitive information that should never be exposed through debug or logging channels.

Exploitation and

Attack Surface

An attacker can retrieve the exposed session token through two primary vectors. First, a malicious application installed on the same Android device could read the logcat buffer, which is often accessible without elevated permissions on older Android versions, or via the READ_LOGS permission [1][2]. Second, an attacker with physical access to the device could connect via USB and use Android Debug Bridge (ADB) commands to dump the logs. The attack requires local access (physical or via a malicious app) but does not require the attacker to know the user's credentials [1][2].

Impact

Once the attacker obtains the session token, they can impersonate the authenticated user within the udn News app. Furthermore, because the session token is shared across services provided by udn (United Daily News), the attacker may also gain access to other linked services without additional authentication [1][2]. This can lead to unauthorized access to the user's account, reading of personalized content, and potential manipulation of account settings.

Mitigation

The vulnerability has been addressed in udn News version 4.20.1 [1][2]. Users are strongly advised to update the app from the official Android app store. As a general security best practice, no app should store session tokens or other secrets in system logs. For environments where the app cannot be updated, users should restrict which apps can access logcat and avoid leaving devices in untrusted physical locations.