How to check whether the app has user information and data leakage vulnerabilities

Recently, we have received many DK Platform feedback APP The user information data in is leaked , As a result, users are often harassed by overseas Hong Kong Telephone promotion , Some users are even cheated by the Internet , And the user applies to fill in the mobile phone number in the form on the same day , It didn't take long for it to leak , Then the Hong Kong phone will call , Ask users if they need to borrow , After learning about this emergency , Because the customer has been doing Tiktok 、 Well quickly 、 Baidu's promotion , The loss is greater , It is necessary to find out the reason why the user's mobile phone number is leaked as soon as possible , Prevent user information and data from continuing to be leaked , We SINE Safety immediately set up a safety emergency response team , With the customer's platform operation and maintenance technology, the server information and H5 Landing page 、API Interface information and APP as well as CRM Sorting out the general situation of the background system .

We combed the servers and projects related to the database in detail , Found that the customer used 3 Alibaba cloud servers and RDS Database instance , One of them is APP and H5 API Interface to use , The other one is for CRM Institutional account system , Another one is for the background management system , We SINE Security technology on server logs , as well as API Interface nginx The website access log has carried out a detailed security analysis , And arranged technicians to H5 Landing page , Fill in the form information function , And download the customer's APP, Conducted a comprehensive artificial safety penetration test , Submit the function including mobile number API In the interface , It is found that there is user information leakage in the return packet , As shown in the figure below ：

The API Interface POST Request the... In the bag uid, There is a return packet data leak , And the APP The number of registered users reaches 2W many , That is, it is equivalent to leaking more than 20000 user information every day , Include name and ID number , cell-phone number , social security , Real estate assets , This vulnerability is too serious , It has brought huge losses to platform operators , We SINE After detailed communication and understanding with customers , This program source code , It was originally a third-party company that was found to develop and design , It was recruited after the scale was increased in the later stage JAVA Secondary development by programmers , Code functions on many interfaces are groping forward , So some interface functions , There will be data leakage vulnerabilities , This leads to the JAVA Programmers cannot locate the root cause of the vulnerability in detail , After all, it was a third-party company that originally developed the program, not JAVA Programmers develop by themselves . We SINE Security engineers continue to conduct detailed penetration tests on other systems and servers , The backstage server also has security problems , because APP There are many administrators , Inevitably, some administrators set simple passwords , Weak password vulnerability was found in some administrator accounts in the background , Log in to the administrator account , We set up the SMS interface in the background key And the key , Because the user's mobile phone number in the background system is desensitized and encrypted , We SINE The security technology is then applied to the third-party SMS channel key And key for penetration testing , Found the third-party SMS API Interface vulnerability , You can bypass the white list IP, Use it directly KEY And the key to request the SMS interface , Through the returned packet , To get the list of mobile phone numbers that send text messages . As shown in the figure below ：

Because of the customer APP When it reaches a certain scale , Hackers will attack more and more , Many customers are experiencing rapid business development , Thus neglecting APP Security issues , All feel that their technicians can solve the vulnerability problem of information leakage , In fact, it's not , Because developers are only responsible for developing and realizing business functions , I don't know that there may be loopholes in this function , Development is development , Safety is safety , It's not the same thing , There are specialized skills , We must find a professional website vulnerability repair service provider to solve the problem of data leakage , Check logs and audit source code vulnerabilities , And carry out overall safety reinforcement and protection , In view of what some customers use RDS Alibaba cloud database , And there is no access to the database IP White list restrictions , As a result, hackers can use Alibaba cloud keys and key To get rds Database connection information , It will cause the database data to be stolen , The information in the database table will also be stolen , And hackers will be at a fixed time every day , To automatically extract the user's mobile number and name , And resell the data to a third party , Third parties use Hong Kong phones for harassment promotion and online fraud , For this we SINE Safety advice , If you encounter this problem of user data leakage , Be sure to find a website security company with practical security protection experience to solve this problem , Only APP Safe and stable , Customer information will not be leaked , Will continue to get more users , Win win , Customers are satisfied with the vulnerability investigation and repair of this sensitive information disclosure , And signed a long-term penetration test with APP Safety maintenance services , There are new systems online, new function additions and code modifications , We will conduct manual safety inspection at the first time , Detect whether there are loopholes and information leakage , Take safety precautions in advance , Can strangle the vast majority of hacker attacks in infancy .