SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug by kr-nahid

View this thread on: hive.blog | peakd.com | ecency.com

utopian-io · @kr-nahid · Sep 6 '18 (edited)

$0.05

SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug

#### Project Information
> Repository:  https://github.com/BoomApps-LLC/SteemApp-Android
Project Name: SteemApp
Publisher: https://github.com/BoomApps-LLC


#### Expected behavior
After entering any username and by using user post key only, user must not be able to log into SteemApp by using any username.

#### Actual behavior
After entering any username and by using only user post key, user is able to enter any  Steemit account by just using the username of the the victim.

#### How to reproduce
* download the app [here](https://play.google.com/store/apps/details?id=com.boomapps.steemapp)
*  install the SteemApp Beta 2.0.3
* Then open the app and enter any username you want to enter(In this case I'm using my 2nd account to reproduce this bug, because this is a big security issue of this app and any account can be targeted.)
* After entering any username use your own post key by QR code or input private posting key .
* Then click login.
* Note that the user will be able to enter into the username account after log in by your post key but any username
* Note that this issue is the same for SteemApp Stable v1.0.3


> Browser/App version: SteemApp Beta v2.0.3
 Operating system: Android 7.1.2 N2G47H

#### Recording Of The Bug
https://www.youtube.com/watch?v=8DODadnopAU&feature=youtu.be

#### Proof of Work Done
 * My GitHub account - [GITHUB](https://github.com/kr-nahid)
 * The issue has been reported here: https://github.com/BoomApps-LLC/SteemApp-Android/issues/20

👍 oliwaw, steemitstats, yuxi, jahangirwifii, piaristmonk, leir, sheikhsayem, ubg, nrikov, inns.shuvts, smikovv, korob1218, umaykl, nikvoronkov1984, sera1995, pashafeloff, narkojen, anna151286, flagfixer, annabel1122, secretecandy, putridgamete, anaerobepicket, curryvoid, fieldsonce, maskoil, lambdaethanol, risklek, synonymsdiapir, no-matter, boriskamiran, ikudelin, riemannevening, blazarpastebin, googoltailored, harmscribd, alonecatdisc, oxbowworship, haircuttogether, definitefeed, searchmalt, linksurfer, controlcagey, riftlustful, holderroots, templateflask, amusingbun, obstinacyveggie, coalorebrunch, liquidmeat, pollfullscreen, dkapitonov, birkinx, albinakarimova, ermakx, blindjab, fleshtestify, weepyhorrified, syllablenod, boeingcoffee, filkreserved, stressedboiler, hipolitc, goote, and 15 others
👎 casido, hellotomyfans, fionmaxi, hilonrima, fushcarbon, velomasty, charlesbiters

`author`	kr-nahid
`permlink`	steemapp-beta-v2-0-3-and-steemapp-stable-v1-0-3-login-bug
`category`	utopian-io
`json_metadata`	{"app":"steeditor/0.1.2","format":"markdown","image":[],"tags":["utopian-io","bug-hunting"],"users":[],"links":["https://github.com/BoomApps-LLC/SteemApp-Android","https://github.com/BoomApps-LLC","https://play.google.com/store/apps/details?id=com.boomapps.steemapp","https://www.youtube.com/watch?v=8DODadnopAU&feature=youtu.be","https://github.com/kr-nahid","https://github.com/BoomApps-LLC/SteemApp-Android/issues/20"],"community":"busy"}
`created`	2018-07-02 18:12:12
`last_update`	2018-09-06 16:19:27
`depth`	0
`children`	4
`last_payout`	2018-07-09 18:12:12
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.048 HBD
`curator_payout_value`	0.001 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	1,484
`author_reputation`	5,080,172,233,934
`root_title`	"SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	63,169,545
`net_rshares`	21,918,387,207
`author_curate_reward`	""

properties (23)vote details (86)

voter	rshares	pct
ubg	291,831,764	1%
yuxi	2,952,230,689	10%
leir	713,615,631	20%
piaristmonk	1,419,068,314	100%
steemitstats	3,286,678,216	5%
jahangirwifii	2,855,589,706	6%
oliwaw	9,847,881,448	100%
sheikhsayem	551,491,439	100%
den9	0	100%
boyarovkostya	0	100%
desp-er	0	100%
browan4ik	0	100%
nyushosazha	0	100%
karapetyang	0	100%
supan4ik	0	100%
mashussyrtva	0	100%
sstrazzefa	0	100%
danielaminas	0	100%
trovimov	0	100%
aboriginalbook	0	100%
chestyovert	0	100%
rhodiumyellow	0	100%
bentwag	0	100%
goote	0	100%
hipolitc	0	100%
stressedboiler	0	100%
filkreserved	0	100%
boeingcoffee	0	100%
syllablenod	0	100%
weepyhorrified	0	100%
fleshtestify	0	100%
blindjab	0	100%
ermakx	0	100%
albinakarimova	0	100%
birkinx	0	100%
dkapitonov	0	100%
pollfullscreen	0	100%
liquidmeat	0	100%
coalorebrunch	0	100%
obstinacyveggie	0	100%
amusingbun	0	100%
templateflask	0	100%
holderroots	0	100%
riftlustful	0	100%
controlcagey	0	100%
linksurfer	0	100%
searchmalt	0	100%
definitefeed	0	100%
haircuttogether	0	100%
oxbowworship	0	100%
alonecatdisc	0	100%
harmscribd	0	100%
googoltailored	0	100%
blazarpastebin	0	100%
riemannevening	0	100%
ikudelin	0	100%
boriskamiran	0	100%
charlesbiters	0	-100%
no-matter	0	100%
velomasty	0	-100%
synonymsdiapir	0	100%
risklek	0	100%
lambdaethanol	0	100%
maskoil	0	100%
fieldsonce	0	100%
curryvoid	0	100%
anaerobepicket	0	100%
putridgamete	0	100%
secretecandy	0	100%
fushcarbon	0	-100%
hilonrima	0	-100%
annabel1122	0	100%
flagfixer	0	2%
anna151286	0	100%
narkojen	0	100%
pashafeloff	0	100%
sera1995	0	100%
nikvoronkov1984	0	100%
fionmaxi	0	-100%
umaykl	0	100%
korob1218	0	100%
smikovv	0	100%
inns.shuvts	0	100%
nrikov	0	100%
hellotomyfans	0	-100%
casido	0	-100%

@annabel1122 · Jul 19 '18

sir g really great post Keep it up

properties (22)

`author`	annabel1122
`permlink`	re-kr-nahid-steemapp-beta-v2-0-3-and-steemapp-stable-v1-0-3-login-bug-20180719t190242100z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"app":"steemit/0.1"}
`created`	2018-07-19 19:02:42
`last_update`	2018-07-19 19:02:42
`depth`	1
`children`	0
`last_payout`	2018-07-26 19:02:42
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	34
`author_reputation`	49,779,624,659
`root_title`	"SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	65,277,383
`net_rshares`	0

@biblegateway · Jul 2 '18

#
# upvote for me please? https://steemit.com/news/@bible.com/2sysip
#

properties (22)

`author`	biblegateway
`permlink`	re-kr-nahid-steemapp-beta-v2-0-3-and-steemapp-stable-v1-0-3-login-bug-20180702t181257504z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"links":["https://steemit.com/news/@bible.com/2sysip"],"app":"steemit/0.1"}
`created`	2018-07-02 18:12:54
`last_update`	2018-07-02 18:12:54
`depth`	1
`children`	0
`last_payout`	2018-07-09 18:12:54
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	70
`author_reputation`	-1,830,118,496,884
`root_title`	"SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	63,169,630
`net_rshares`	0

@flagfixer · Jul 17 '18

@kr-nahid you were flagged by a worthless gang of trolls, so, I gave you an upvote to counteract it!  Enjoy!!

properties (22)

`author`	flagfixer
`permlink`	flagfixer-re-kr-nahidsteemapp-beta-v2-0-3-and-steemapp-stable-v1-0-3-login-bug
`category`	utopian-io
`json_metadata`	""
`created`	2018-07-17 21:57:18
`last_update`	2018-07-17 21:57:18
`depth`	1
`children`	0
`last_payout`	2018-07-24 21:57:18
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	109
`author_reputation`	2,148,467,197,579
`root_title`	"SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	65,040,413
`net_rshares`	0

@tobias-g · Jul 2 '18

Thanks for your contribution. 

As I mentioned on the issue prior to you posting this to Utopian, this is not a bug. I have further confirmed this with the project owner following this report. 

In the scenario where a user enters the application and enters a username and private posting key and the private posting key is incorrect the validation is not done at login and instead done upon the actual action which requires the private posting key. 

For example, I could enter the username kr-nalid and essentially view the application as you, but when I try to post as you I won't be able to because I don't know your private posting key. This is not a security concern because a user cannot do anything on a user's accounts without a private posting key. 

The following diagram should explain this further, *Note: I have oversimplified this, therefore, it isn't 100% accurate, but you will get the idea*

![Blank Diagram - Page 1 (2).png](https://ipfs.busy.org/ipfs/QmPaQCJ5yqutNPy4m4K3H4wRC7yT6MCLqmqymAxz8UnT54)


In a lot of other applications you will validation of keys at the launch of the application through a sign in as seen in the image above, SteemApp instead takes a different approach and does the validation at the action as seen in the above image. This allows a user to get an experience within the application without needing to actually have your key to hand. Of course, this does create a slight UX issue and may be confusing, however, I think by removing the password field and only requiring the permission on actions (such as we saw Android implement in 6.0) it will help improve this for the user. 

**Again, I would like to note there is nothing to worry about when using this application and all users of the application are safe when using it.**

Separate to that, it's great to see that you're adding your issues to GitHub, however, please take note of comments, this issue would have been best left until the project owner was able to respond. You also score higher points in the event the project owner acknowledges the issue. 

Your title could have been improved by actually mentioning the issue at hand.

Your video was to the point and glad to see you made an attempt to hide your keys, I was initially worried that would be missed. 

Once again, thanks for your contribution and look forward to your contibutions in the future.

---------------------------------------------------------------------
Need help? Write a ticket on https://support.utopian.io.
Chat with us on [Discord](https://discord.gg/uTyJkNm).

**[[utopian-moderator]](https://utopian.io/moderators)**

👍 cheneats

`author`	tobias-g
`permlink`	re-kr-nahid-steemapp-beta-v2-0-3-and-steemapp-stable-v1-0-3-login-bug-20180702t194830208z
`category`	utopian-io
`json_metadata`	{"tags":["utopian-io"],"image":["https://ipfs.busy.org/ipfs/QmPaQCJ5yqutNPy4m4K3H4wRC7yT6MCLqmqymAxz8UnT54"],"links":["https://support.utopian.io","https://discord.gg/uTyJkNm","https://utopian.io/moderators"],"app":"steemit/0.1"}
`created`	2018-07-02 19:48:30
`last_update`	2018-07-02 19:48:30
`depth`	1
`children`	0
`last_payout`	2018-07-09 19:48:30
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.000 HBD
`curator_payout_value`	0.000 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	2,607
`author_reputation`	101,057,581,296,921
`root_title`	"SteemApp Beta [v2.0.3] & SteemApp Stable [v1.0.3] login bug"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	63,179,730
`net_rshares`	147,355,793
`author_curate_reward`	""

properties (23)vote details (1)

voter	weight	wgt%	rshares	pct	time
cheneats	0 B		147,355,793	1%