Okay. I've done
some (minimal) work reviewing the app (Android version, since that tends to be easier) and the supposed findings. My results, at this stage, are mixed, but I largely agree that the app shouldn't be used.
Some of the supposed vulnerabilities have been fixed according to the original report, and the profiles section is currently down as the developers are seemingly working on fixes. For all the scaremongering about how unwilling the devs are to fix stuff, it seems like they're doing it just fine. I wonder if it might have something to do with how the "globesec" guys approached the subject (I suspect they were not pleasant about it).
Some of the findings are evidently valid - it's true that the application doesn't seem to enforce any meaningful authorisation (the concept of an "account" doesn't really exist here, and the username/password auth seems to be purely for decoration - everything seems to be tied to a device ID, which on Android is just
this), and you can fetch those IDs from a bunch of places in the API. While I haven't explored this fully, I'm completely convinced that you would be able to retrieve a fair amount of data that users would consider to be private. "Cheating" the referral system is also very easy, as suggested. Woohoo, free premium.
Other findings seem unverifiable - plaintext passwords I can believe, but I see no indication of it in the app's current state (and digging deeper to find out would be breaking professional and ethical boundaries). That said, the login function is meaningless, so hey ho.
That said, the majority of what "globesec" are saying is complete gobbledygook. It's pretty clear they didn't find the findings themselves, nor do they understand them. The recommendation of HTTP Basic Authentication is complete nonsense, and wouldn't be usable in this context. The Bearer token generation script they came up with is utterly useless, too. You can request a Bearer token by making a single curl request, no need for the elaborate song and dance they've described - and since the app has virtually no authorisation, it doesn't matter what Bearer token you use.
For example, you can fetch a random Bearer with the following POST request:
POST /public/api/addtoken HTTP/2
Host: php83.flatsmacker.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 47
Accept-Encoding: gzip, deflate, br
User-Agent: Pete is so Handsome
device_id=pete&device_token=pete&device_type=69This gives you a Bearer token for a nonsensical device with an ID of "pete". Doesn't matter, we just need
a token.
With this token, you can, for example, rename an arbitrary user's account by making a simple request - you just need their e-mail address as the identifier. I won't be showing you how to do that.
The "Moderate" finding around how API details are distributed is also nonsense - it relies on someone successfully intercepting TLS traffic and modifying it - if you can do that, you can just as well intercept and modify communications with the API itself. (Okay, fine, the app uses certificate pinning on its main API and not Firebase, so intercepting Firebase would be easier - but still!). And, again, inexplicable mentions of a Bearer token in the middle of a vuln writeup of something that has nothing to do with authentication or authorisation.
In summary: the app's current state is pretty shambolic. However, the people disclosing these issues have no idea what they're talking about, likely received the information from someone else, and are clearly misusing it to prop themselves up. It's scammers all the way down, and I don't like that.
I leave you with a picture of BigManPete dominating the referral leaderboard for the app. I was hoping to stop at 69 referrals, but counting is hard.
