One big vulnerability in 1Sambayan app


If you heed the call of the anti-Duterte coalition 1Sambayan to volunteer "to get a government that truly serves," better read this as your data including Apple ID, address, birth date, email address, Facebook ID, full name, Google ID, mobile number, password, profile picture, username, and profession could have been leaked.

Anyone could access details of more than three thousand volunteers of the opposition group 1Sambayan due to inadequate security implementation of the group's mobile app. The vulnerability was reported to MB Technews by an informant who calls himself Papasusej, a security professional who found the vulnerability while checking the group's app.

1sambayan

Aside from the details, photos of those who registered as volunteers in the group's mobile app are in danger of public exposure. There is also an entry where the Facebook ID of volunteers could be seen, allowing those who have access to the information to verify the volunteer's identity by checking the Facebook account connected to the ID.

MB Technews informed the National Privacy Commission about the incident, and the PH privacy agency activated its Quick Response Team to check the report immediately. In addition, 1Sambayan was informed about the issue via Facebook Messenger and Viber.

Heide Mendonza, who introduced herself as 1Sambayan convenor, contacted us about the incident. We explained to her that we got the information via email.

An IT consultant of 1Sambayan also contacted us and said they are now doing an information forensics investigation to see where the leak happened.

To learn more about the breach, we forwarded the link to two of the country's top cybersecurity professionals, and both of them agreed that there's strong evidence that there is a data breach.

Secuna co-founder and cybersecurity professional AJ Dumanhug said that someone assessed the app's APK or Android Package Kit. APK is the format that Android uses to distribute and install apps. "The informant saw the apps' API endpoint and found out that it's vulnerable as it exposes user data." Application Programming Interface or API is a software intermediary that allows two applications to talk to each other, in this case, the app to the server and vice versa. "Testing the API vulnerability, the informant could have requested user data one by one to get the sensitive personal information of 3,434 users," Dumanhug added.

Manila Bulletin cybersecurity consultant Christian Angel agreed with Dumanhug's analysis. "This is very interesting. We could see that the informant is exploiting the vulnerable application at the endpoint. As the endpoint of API sends sensitive information as a reply to a query, he just changed the number incrementally to get more information allowing him to access 3,400 user details".

Both Dumanhug and Angel agreed, the app of 1Samabayan was developed and deployed to the public without a proper security assessment.

Moving Forward:

AJ Dumanhug recommends the following: 1) Perform penetration testing to correctly identify potential issues on the app. 2) Don't expose users' personal information to HTTP responses if this information is not needed. If the information is essential, at least mask the details. 3) Report to the NPC immediately.

Christian Angel added: 1) 1Sambayan needs to make an incident response activity about this issue to know the extent of the breach. 2) The developers need to follow best practices in secure coding. 3) Test the app for vulnerabilities before deploying it for public use.

Dumanhug and Angel recommend to immediately put the server, the app, and the database of 1Sambayan in maintenance mode until the vulnerability is fixed to avoid any additional data leak.

The login page of the 1Sama app of 1Sambayan

While the privacy policy states that the group only collects a "limited amount of information", we observed that personally identifiable information is collected.

Information like mobile number, country, social media, and profession are also collected.

We waited for 1Sambayan to put the affected assets offline before we posted this update. We were informed that there are more than five thousand volunteers as of this posting.