Meatmeet Pro Mobile Application Password Hashing Vulnerability

A vulnerability exists in the Meatmeet Pro mobile application version 1.1.2.0, which uses the outdated and insecure hashing algorithm MD5 to hash passwords. This flaw allows attackers to potentially crack the hashes and gain unauthorized access to user accounts. The vulnerability could be exploited by obtaining the hashed passwords through various means, such as exploiting cloud services or performing TLS downgrade attacks on mobile traffic.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts by cracking the MD5 password hashes.

Reproduction

The vulnerability can be reproduced by intercepting the application's network traffic, which can be done by exploiting the lack of certificate pinning. This allows for a TLS downgrade attack, where the traffic can be intercepted in clear text. Once the traffic is captured, the MD5 hashes can be extracted and cracked, using tools like Hashcat, to retrieve the original passwords.