[Security Advisory] todoist Unauthorized Third Party Access Vulnerability

On September 20th 2016 I reported the following vulnerability to the todoist Team.

A design flaw exists in the way the registration / invitation process is handled.

Description
*************

– A todoist user invites another person via email.

– The recipient of this invitation can join the todoist project by using the provided link with a URL parameter containing the invitation key in the invitation email. The recipient can login in with an existing account or create a new one.

Impact:
*********

The invitation key is not bound to the recipients email on the server side application. Thus, anyone who gets access to the Email or invitation key can join the project regardless of the provided Email address when following the invitation link. The risk of exposing the Email surely depends on the users behavior but in the days of free public and unencrypted WiFi everywhere I would rate this vulnerability as medium to high as unauthorized third parties would be able to access regular users content. If such a breach happens and becomes public the damage caused to your business and to the trust of your customers would be high.

Recommendation:
*********************

It is recommended to create a relationship between the invitation key and the recipients email address within the logic of the server side application. If a user tries to create an account with another email address that differs from the original recipients email address the invitation key should be invalidated.

Timeline
*********************

20.09.2016 Repoted vuln to todoist Team

22.09.2016 1st Response from todoist requesting more details

22.09.2016 Detailed information about vuln sent to todoist with notification of responsible disclosure after 90 days or later

22.09.2016 Answer by todoist stating that the issue will be reported to dev team

today: No confirmation or further corespondence received

[iOS] Scrambled Net for iPhone / iPad released

[TL/DR] Grab it here: https://itunes.apple.com/de/app/scrambled-net/id1061103170?mt=8

As like for many of you the addictive Puzzle Game Scrambled Net was a game that I always installed as first App on any new Android phone I had in the past. When I switched to iOS for my daily driver about a year ago that game was something I always missed. It had helped me out the many times when I had to wait for a flight/train/doctor/whatever. So I decided to write it from scratch for iOS devices and I will add new things over time.
It’ been released a week ago and I’m playing it daily.

A currently pending release, yet to be approved by Apple, adds Game Center support and a global Leaderboard so you can compare your skills with others around the world.

Enjoy.

Cheers.

500x500bb

500x500bb-2

500x500bb-3

[Android] HushSMS v2.7.7 (bugfix release)

It’s been a while and due to a lot of other stuff and regular workload I was not able to do anything related to HushSMS. However since there where a lot of updates to the Android OS some things messed up in HushSMS. With this release I addressed two very annoying issues.

1. The “allyoumessages…” message in the sent items folder of the SMS application should no read “HushSMS message sent” again
2. Some devices used another API method when sending SMS out and I added this API method. So finally the hand full of users who had problems sending messages with HushSMS are now able to use the App. Sorry for the delay folks and thanks for your patience.

I am planning new features in HushSMS as requested by some users like a history of sent messages and the possibility to define a favorite list where you can put in target and message type combinations for messages you tend to send frequently.

If you have ideas on how to extend the App or if you have features you’d like to see added please don’t hesitate to drop me line.

Cheers

[iOS] My App Statistics v1.1 is out

Hey folks,

today Apple approved My App Statistics and it is available in the iTunes App Store now. This app was created in the hope that it would be useful to other developers who develop Android apps and sell them in the Google Play Store but use an iPhone as their daily driver. You can get all your sales data from Google Wallet and get them presented in the app including some graphs.

The full description can be read on the product page here.

Or you can head over to the iTunes App Store directly. The app is not free and costs 2.99€ / $2.99:
Apple App Store page

[Android] HushSMS 2.7.6 is out

A new year a new release.

Changes are:

– Added the option to send raw SumbmitPDU’s directly
– Code optimisation

With the new option you can send raw SubmitPDU directly from HushSMS extending your possibilities to manipulate SMS messages directly without the need of a complicated PC/Modem setup. You surely must be able to speak PDU though… 🙂

I also just released SMSProxy to the Google Play Store. With SMSProxy all outgoing SMS are monitored and logged into a database including timestamp, target number, content (if applicable) and the FULL SubmitPDU. Guess what: You can copy the logged PDUs from SMSProxy and paste it into HushSMS new option for sending SubmitPDU’s. Cool, isn’t it?

Enjoy & Cheers

[Android] HushSMS v2.7.5 is out

Changes in version 2.7.5 are:

– Added option to set the number of waiting messages in MWI when using UDH method
– Fixed a bug in Replace messages when phone automatically adds a validity period in the message
– Added option to disable delivery report for Class0 message as per to user request

Enjoy

[Android] HushSMS 2.7.2 is out

Changes are:

– UI changes
– Added notification sound for Alert Messages
– Changed some functions so that users with a HTC device with Sense UI ROM can now also use the Xposed Module (not required though)
– Removed the annoying “allyourmessages…” message from the inbox when using Xposed (now only shows “HushSMS message sent”)

Enjoy

[Android] HushSMS 2.7.1 is out

Changes are:

– Set the fields for Number and Message as variable instead static in the Tasker plugin. This should give you some more flexibility when using HushSMS with Tasker.
– Fixed a bug in the “Alert Feature” where alert where not shown under some circumstances

Enjoy

[Android] HushSMS v2.7 is out

Changes:

– Fixed a bug which prevented HushSMS to work properly on CM11 build after 31.06.2014. It’s working fine again now on latest CM11 nightlies
– Reintegrated Xposed Module into HushSMS. You no longer need to install a separate Xposed Module APK. Please disabled/uninstall the old module in Xposed Framework prior to using v2.7

Enjoy,

Michael