CityData CityChat Google Cloud Service Account Key Exposure Vulnerability

A vulnerability exists in CityData CityChat for Android, in versions up to 0.12.6. The issue arises from the application embedding a full Google Cloud service account key file within its assets, specifically in 'resources/assets/flutter_assets/assets/credentials.json'. This exposure allows an attacker, through reverse engineering, to extract the file and use the credentials to authenticate with Google Cloud Platform. The stolen credentials provide unauthorized read-only access to Dialogflow APIs, enabling the retrieval of agent details and a list of all intents. Such access could lead to information disclosure and potential misuse of the extracted conversational logic.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive Google Cloud resources, specifically Dialogflow data, which could be misused to manipulate or exploit chatbot functionalities.

Reproduction

The vulnerability can be reproduced by downloading the CityData CityChat application for Android, version 0.12.6 or earlier. After installation, the app can be reverse-engineered to access the embedded credentials file. The extracted Google Cloud service account key can then be used to authenticate with Google Cloud Platform and access Dialogflow APIs.