FDEU-CVE-2023-5ef0
Summary
VeroCafe insecure mobile application.
Tech details
VeroCafe Android application based on DeliveryMobile.ru platform contains multiple vulnerabilities. Also, the platform service is provided and hosted by a russian federation owned company which is a big reputational risk.
About Vero Cafe
VeroCafe is a network of coffee shops in Lithuania (operated by "UAB Ex prompto", company ID 301127637). Last year VeroCafe released a mobile application which is used as a loyalty card, allowing users to register and get discounts.
Backend service - deliverymobile.ru
The app's UI is made on the Xamarin framework. The backend communication is done over https://servereu.deliverymobile.ru
, ex:
https://servereu.deliverymobile.ru/api/1/accessToken?login=verocafe
Google Play identifies the developer of the app as "DELIVERYmobile, LLC" and "RISElogic". Listing other apps of the same developer shows a list of a hundred other food delivery applications mostly in russia, but also some in Lithuania.
Service provided by a state sponsor of terrorism
In 2014 russian federation invaded Ukraine, annexed part of its territory and continued supporting hybrid attack. In 2022 it invaded Ukraine and started a full scale war. And the war is still ongoing killing thousands of people.
During the 2022 russian invasion of Ukraine, russian authorities and armed forces committed multiple war crimes in the form of deliberate attacks against civilian targets, massacres of civilians, torture and rape of women and children, and indiscriminate attacks in densely populated areas:
https://en.wikipedia.org/wiki/War_crimes_in_the_2022_Russian_invasion_of_Ukraine
EU declared russian federation a state sponsor of terrorism:
FullDisclosure team and our partners support Ukraine. We are not going to report any vulnerabilities found to DeliveryMobile. We also encourage Lithuanian coffee lovers to stop using VeroCafe because of their ties with a state sponsor of terrorism.
Service credentials leaked
Here are some credentials that VeroCafe app leaked:
{ "email": "order@deliverymobile.ru", "user": "order@deliverymobile.ru", "pass": "XdSaBuv6891Idog5ScHidik36CedThu9", "host": "mail.deliverymobile.ru", "port": 10025, "ssl": false }, { "email": "deliverymobile.order@gmail.com", "user": "deliverymobile.order@gmail.com", "pass": "krbxtxuxvcsaqrwz", "host": "smtp.gmail.com", "port": 587, "ssl": true }, { "email": "deliverymobile.order@yandex.ru", "user": "deliverymobile.order@yandex.ru", "pass": "btgmurqznoqickwf", "host": "smtp.yandex.ru", "port": 587, "ssl": true }, { "email": "deliverymobile.order@mail.ru", "user": "deliverymobile.order@mail.ru", "pass": "socucifddlhgoedb", "host": "smtp.mail.ru", "port": 587, "ssl": true }, { "email": "deliverymobile.order@hotmail.com", "user": "deliverymobile.order@hotmail.com", "pass": "wiqfsatyfgrgasfz", "host": "smtp-mail.outlook.com", "port": 587, "ssl": true }
Timeline
2022-11-23 - initial research 2022-11-29 - contacted Verocafe regarding the findings. No response 2023-01-26 - full disclosure