Zenly, a social app from Snap that allows users to monitor the positions of friends and family on a live map, has two flaws that potentially imperil people being tracked. The issues are a user-data disclosure vulnerability and an account-takeover vulnerability, according to the Checkmarx Security Research Team.
Zenly is a real-time location sharing software created in 2015 by Alexis Bonillo and Antoine Martin in Paris, France. Zenly's primary role is to share and monitor locations with friends. The software may communicate not only your current position, but also your mobile direction and speed. Zenly employs dependable, effective, and precise positioning technology to pinpoint the precise location of friends or family members.
According to Checkmarx, the vulnerability exploits the "Add by Username" procedure, which begins by searching for a known username. Then, to view requests that occur during the username search, "an environment that permits intercepting and decoding network requests to get visibility into network activities" can be employed.
“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.”
According to the researchers, after the target username has been found, the same interceptor may be used to retrieve the associated phone number via a view named "Add by Username," then clicking the "Add as Friend" button.
This vulnerability's mitigation strategy can be divided into two phases. The most serious consequences are from gaining access to a user's Personally Identifiable Information (PII) without their permission. This could be avoided by eliminating the target phone number field from the reply sent when a friend request is created. The second step in this mitigation recommendation is to effectively limit or shape the data supplied by the /UserPublicFriends endpoint when a username search is performed, rather than returning an entire list of the friends' usernames.
According to Checkmarx, the second bug appears in the user-authentication flow. This authentication uses SMS messages carrying verification numbers to validate sessions. After sending the SMS message to the user, the app uses the session token and the SMS verification code to access the /SessionVerify endpoint.
Both vulnerabilities have been fixed, and users should update their apps to the most recent version to avoid compromise, according to the company.