FDEU-CVE-2023-5ef0

Summary

VeroCafe insecure mobile application.

Tech details

VeroCafe Android application based on DeliveryMobile.ru platform contains multiple vulnerabilities. Also, the platform service is provided and hosted by a russian federation owned company which is a big reputational risk.

About Vero Cafe

VeroCafe is a network of coffee shops in Lithuania (operated by "UAB Ex prompto", company ID 301127637). Last year VeroCafe released a mobile application which is used as a loyalty card, allowing users to register and get discounts.

Backend service - deliverymobile.ru

The app's UI is made on the Xamarin framework. The backend communication is done over https://servereu.deliverymobile.ru, ex:

https://servereu.deliverymobile.ru/api/1/accessToken?login=verocafe

Google Play identifies the developer of the app as "DELIVERYmobile, LLC" and "RISElogic". Listing other apps of the same developer shows a list of a hundred other food delivery applications mostly in russia, but also some in Lithuania.

Service provided by a state sponsor of terrorism

In 2014 russian federation invaded Ukraine, annexed part of its territory and continued supporting hybrid attack. In 2022 it invaded Ukraine and started a full scale war. And the war is still ongoing killing thousands of people.

During the 2022 russian invasion of Ukraine, russian authorities and armed forces committed multiple war crimes in the form of deliberate attacks against civilian targets, massacres of civilians, torture and rape of women and children, and indiscriminate attacks in densely populated areas:

https://en.wikipedia.org/wiki/War_crimes_in_the_2022_Russian_invasion_of_Ukraine

EU declared russian federation a state sponsor of terrorism:

https://www.europarl.europa.eu/news/en/press-room/20221118IPR55707/european-parliament-declares-russia-to-be-a-state-sponsor-of-terrorism

FullDisclosure team and our partners support Ukraine. We are not going to report any vulnerabilities found to DeliveryMobile. We also encourage Lithuanian coffee lovers to stop using VeroCafe because of their ties with a state sponsor of terrorism.

Service credentials leaked

Here are some credentials that VeroCafe app leaked:

    {
      "email": "order@deliverymobile.ru",
      "user": "order@deliverymobile.ru",
      "pass": "XdSaBuv6891Idog5ScHidik36CedThu9",
      "host": "mail.deliverymobile.ru",
      "port": 10025,
      "ssl": false
    },
    {
      "email": "deliverymobile.order@gmail.com",
      "user": "deliverymobile.order@gmail.com",
      "pass": "krbxtxuxvcsaqrwz",
      "host": "smtp.gmail.com",
      "port": 587,
      "ssl": true
    },
    {
      "email": "deliverymobile.order@yandex.ru",
      "user": "deliverymobile.order@yandex.ru",
      "pass": "btgmurqznoqickwf",
      "host": "smtp.yandex.ru",
      "port": 587,
      "ssl": true
    },
    {
      "email": "deliverymobile.order@mail.ru",
      "user": "deliverymobile.order@mail.ru",
      "pass": "socucifddlhgoedb",
      "host": "smtp.mail.ru",
      "port": 587,
      "ssl": true
    },
    {
      "email": "deliverymobile.order@hotmail.com",
      "user": "deliverymobile.order@hotmail.com",
      "pass": "wiqfsatyfgrgasfz",
      "host": "smtp-mail.outlook.com",
      "port": 587,
      "ssl": true
    }

Timeline

2022-11-23 - initial research
2022-11-29 - contacted Verocafe regarding the findings. No response
2023-01-26 - full disclosure