Eat Spray Love Mobile App Multiple Vulnerabilities

Backdoor Account

Hardcoded into the applications is an administrative backdoor that could allow an attacker to manipulate information with administrative controls that they normal would not have access to. For example, with this backdoor an attacker could modify or delete information with malicious intent. An example of code responsible for this backdoor follows and occurs numerous times throughout the codebase:

    ClimbInfoPage.prototype.checkIfUser = function () {
        var _this = this;
        this.localUser.getUser().then(function (localUser) {
            if (localUser && _this.climb) {
                _this.user = localUser;
                _this.userIsSetter = (localUser.username === _this.climb.setBy) ? true : false;
                _this.userIsAdmin = (localUser.email.toLowerCase() === _this.wallAdmin.toLowerCase() || localUser.email === '[email protected]' || _this.userIsSetter) ? true : false;
                if (localUser['logbook' + _this.climb.wall] && localUser['logbook' + _this.climb.wall].length > 0) {
                    localUser['logbook' + _this.climb.wall].forEach(function (climb) {
                        if (climb.id === _this.climb.id)
                            _this.userHasLogged = true;
                    });
                }
            }
        });
}

As an example attack scenario, an attacker can simply change this address manually and abuse the extra functionality granted within the app.

Insufficient Security Controls

It appears that all administrative functionality for the application is enforced client-side, which could allow a malicious actor to manually forge API requests in order to access information they would not normally have access to. For example, by manually forging requests, our researcher was able to add, modify, and delete walls (private or not), problems, images, users, etc. For example, we were able to obtain a full list of walls and the associated password hashes for private walls by manually sending these requests within a rogue app:

]],[31,[{
  "documentChange": {
    "document": {
      "name": "projects/whatsyourspraywall/databases/(default)/documents/walls/<censored>",
      "fields": {
        "setDate": {
          "integerValue": "1597465843256"
        },
        "gym": {
          "stringValue": "<censored>"
        },
        "skin": {
          "mapValue": {
            "fields": {
              "grades": {
                "booleanValue": true
              },
              "aboutText": {
                "stringValue": ""
              },
              "logo": {
                "stringValue": ""
              },
              "aboutImg": {
                "stringValue": "https://i.imgur.com/<censored>.jpg"
              }
            }
          }
        },
        "name": {
          "stringValue": "<censored>"
        },
        "location": {
          "stringValue": "NY"
        },
        "website": {
          "stringValue": ""
        },
        "password": {
          "stringValue": "$2a$08$/<censored>/9kABLq9D5e0IyVCbhK"
        },
        "admin": {
          "stringValue": "<censored>@gmail.com"
        },
        "id": {
          "stringValue": "<censored>"
        }
      },
      "createTime": "2020-08-16T04:30:44.103040Z",
      "updateTime": "2020-08-16T04:34:35.532848Z"
    },
    "targetIds": [
      6
    ]
  }