Tomofun Furbo Mobile App Insecure Storage of Sensitive Information Vulnerability

A vulnerability exists in the Tomofun Furbo Mobile App for Android, affecting versions through 7.57.0a. The issue lies in the Authentication Token Handler component, where sensitive information is stored insecurely. This vulnerability allows an attacker with physical access to the device to retrieve the MFA authentication code, Cognito authentication token, and P2P authentication codes associated with the user's account. Notably, this sensitive information remains in the device's memory even after the app is closed.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive authentication tokens and codes, potentially allowing for unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, first, install the Furbo Mobile App on a jailbroken Android device. Connect a web proxy, such as Burp Suite or ZAP, to monitor the app's traffic. After authenticating and connecting to a device on your account, log out and close the app. In the web proxy, locate and copy sensitive values from the response of a request to '/v5/account/read/login' and a request to '/v5/device/p2p_connection/get'. These values can be found in the response bodies of these requests. Next, ensure that Frida is installed on the device and download fridump3 from GitHub. Run fridump3 to create a memory dump, then search the dump for the sensitive information using grep. The MFA authentication code, P2P account ID, and other authentication details can be retrieved from the memory dump, demonstrating that this information is stored insecurely and can be accessed even after the app is closed.