Home / vulnerabilities FSSA-2009-0401.txt
Posted on 21 July 2009
Source : packetstormsecurity.org Link
Advisory Title: mChek 3.4 Information Disclosure
Advisory ID: FSSA-2009-0401
Author: Gursev Kalra (gursev.kalra@foundstone.com)
Vendor Contact Date: 4/21/2009 (Vendor notified by email)
Release Date: 07/21/2009
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low (Information Disclosure)
Vendor Status: Version 3.8 fixes this problem
Overview: mChek application stores Credit/Debit Card numbers and bank name without protection
Application: mChek 3.4 by http://www.mchek.com/
Platform: Symbian OS 9.1, Series 60 v3.0. Other mobile platforms might behave in same way.
Severity: Low
Details:
Vendor Response:
Having said that, even in Version 3.4, only creditcard number and bank name were stored as cleartext. The risk was very low as it is not possible to make a transaction with cardnumber alone. All other sensitive data like exp date for example are encrypted and stored and encryption key never stored in mobile phone and making the information very secure.
Recommendation:
Upgrade to version 3.8 or above.
For questions and comments please send an email to:
research@foundstone.com
Foundstone Vulnerability Research Advisory Archive:
http://www.foundstone.com/research/advisories
