Home / os / blackberry
USAA Mobile App Information Disclosure
Posted on 23 January 2015
The USAA Mobile app for Android, prior to version 7.10.1 (released 19 January), contains an information disclosure vulnerability. I have submitted a CVE-Assign request for this issue but do not yet have a CVE assigned. The issue is demonstrated with sanitized screen captures at http://dnlongen.blogspot.com/CVE-2015-USAA By design, the USAA Mobile app for Android allows users to select whether to log out immediately upon task-switching (i.e. being interrupted by a phone call or notification), or to stay logged in for up to 20 minutes. When "Stay logged in" is enabled however, versions prior to 7.10.1 display the last-viewed screen *before* prompting the user to log back in. If that last screen contained sensitive information, such as account numbers and balances, it becomes possible for one to obtain this information without authorization. Whether it were 20 minutes later, or a week later, launching the USAA mobile app would show personal information briefly before blanking the screen and prompting for a password or PIN. I would not consider this a severe risk. It cannot be exploited by a remote attacker - it requires physical access to the mobile device. It also requires that the attacker is able to log in to the Android device, or that the device lacks a password-protected lockscreen. I have not found it possible to take any action without authenticating - the screen is shown for perhaps a second or two before a login prompt appears. Nonetheless, it is an unauthenticated information disclosure issue with the app. With the 7.10.1 version, instead of seeing a screen full of personal information, the app opens to a benign menu that has no personal information. Upon choosing a menu option that would show private data, the user is prompted to log in before any data is shown. -- Regards, David Longenecker @dnlongen
