Karnataka State Road Transport Corporation KSRTC AWATAR App Access Control Vulnerability

A vulnerability in the KSRTC AWATAR app for Android, specifically in versions 1.4.3 and 1.4.2, has been identified. This vulnerability arises from incorrect access control, allowing sensitive user information such as email addresses, passwords, mobile numbers, and account IDs to be stored in plaintext within shared preferences. This insecure data storage practice exposes personal information to potential exploitation, violating mobile security best practices and OWASP Mobile Top 10 guidelines.

Impact

The vulnerability allows for the extraction of plaintext credentials and sensitive data from the app's shared preferences, which could lead to unauthorized access to user accounts, identity theft, and misuse of personal information.

Reproduction

To reproduce this vulnerability, install the KSRTC Karnataka app version 1.4.3 or 1.4.2 from the Google Play Store. After logging in with valid credentials, access the app's shared preferences directory to find sensitive information stored in plaintext.