Meesho Online Shopping App Cryptographic Vulnerability in Android Versions through 27.3

A cryptographic vulnerability exists in the Meesho Online Shopping App for Android, in versions up to 27.3. The issue arises in the component 'com.meesho.supply', specifically within the file '/api/endpoint'. The vulnerability involves the use of the AES encryption algorithm in CBC mode, which lacks proper integrity protection, combined with a weak key derivation process that relies on the deprecated MD5 algorithm. This flawed implementation allows for interception and modification of encrypted data without detection, potentially leading to unauthorized actions or exposure of sensitive information. The vulnerability is classified under CWE-327, indicating the use of a risky cryptographic algorithm.

Impact

The vulnerability allows for data integrity violations, as intercepted ciphertext can be altered and sent to the server. This manipulation could change request parameters or, if the backend responds differently to modified ciphertext, exploit a padding oracle vulnerability to decrypt data or forge messages.

Reproduction

To reproduce this vulnerability, install the Meesho Android app and configure a proxy tool like Burp Suite to intercept API requests. Once an API request containing the 'message' parameter is captured, modify the ciphertext portion by altering a single byte, then replay the request. The server will accept the modified ciphertext, indicating successful exploitation.

Remediation

No specific mitigation is known for this vulnerability.