Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences #205

Closed
1 task done
luchua-bc opened this issue Nov 16, 2020 · 6 comments
Closed
1 task done

[Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences #205

luchua-bc opened this issue Nov 16, 2020 · 6 comments
Labels
All For One Submissions to the All for One, One for All bounty

Comments

@luchua-bc
Copy link

luchua-bc commented Nov 16, 2020
edited

CVE ID(s)

List the CVE ID(s) associated with this vulnerability. GitHub will automatically link CVE IDs to the GitHub Advisory Database.

Report

Describe the vulnerability. Provide any information you think will help GitHub assess the impact your query has on the open source community.
SharedPreferences is an Android API that stores application preferences using simple sets of data values. Almost every Android application uses this API. It allows to easily save, alter, and retrieve the values stored in SharedPreferences.

However, sensitive information should not be saved in cleartext. Otherwise it can be accessed by any process or user on rooted devices, or can be disclosed through chained vulnerabilities e.g. unexpected access to its private storage through exposed components. Hundreds of GitHub repositories have this vulnerability of storing sensitive information in cleartext.

The query detects this issue and integrates with the existing core libraries.

Relevant PR: #4675

  • Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc). We would love to have you spread the word about the good work you are doing

Result(s)

Provide at least one useful result found by your query, on some revision of a real project.
@luchua-bc luchua-bc added the All For One Submissions to the All for One, One for All bounty label Nov 16, 2020
@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Dec 23, 2020

Your submission is now in status CodeQL review.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Mar 10, 2021

Your submission is now in status SecLab finalize.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Mar 10, 2021

Your submission is now in status Pay.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@xcorail
Copy link
Contributor

xcorail commented Mar 10, 2021

Created Hackerone report 1122661 for bounty 282422 : [205] [Java] CWE-312: Query to detect cleartext storage of sensitive information using Android SharedPreferences

@xcorail xcorail closed this as completed Mar 10, 2021
@ghsecuritylab
Copy link
Collaborator

ghsecuritylab commented Mar 10, 2021

Your submission is now in status Closed.

For information, the evaluation workflow is the following:
CodeQL initial assessment > SecLab review > CodeQL review > SecLab finalize > Pay > Closed

@luchua-bc
Copy link
Author

luchua-bc commented Mar 10, 2021

Thanks @xcorail for the quick turn-around and the bounty:).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
All For One Submissions to the All for One, One for All bounty
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@xcorail @luchua-bc @ghsecuritylab