Happy Hacking Easter – Story of privacy violation into an eggshell

I once found and disclosed similar issues in an app.<p>The app didn&#x27;t use HTTPS so it was trivial to intercept Bearer tokens.<p>For some reason, most API endpoints returned way more data than necessary (e.g., when receiving a message you also get the user&#x27;s last location, their name, their latest known profile icon), so simply observing network traffic on an Insecure WiFi network would be enough to get all the information you could ever want (no need to actually use that Bearer token).<p>And of course the app collected the precise GPS location and would return a GPS location with full precision in virtually every API response (messaging a stranger, fetching their public profile, etc).<p>In my private, responsible disclosure sent to the creator I demonstrated how I could use their private API to track the creator everywhere he goes. I think that drove the message home ;)<p>I am always skeptical when an app wants my GPS location.<p>Since I am friends with the creator&#x27;s wife, I never wrote a post about this.

I&#x27;m not the author of the post, but here are some notes on this app:<p>500,000-1,000,000 installs: <a href="https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.ferrero.magickinder.tablet&amp;hl=en" rel="nofollow">https:&#x2F;&#x2F;play.google.com&#x2F;store&#x2F;apps&#x2F;details?id=com.ferrero.ma...</a><p>Written by Ferrero SpA (Yes, the producers of Nutella... $8.4 billion in annual revenue): <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Ferrero_SpA" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Ferrero_SpA</a>

&quot;Last but not least, all communications are transmitted in clear text; no encryption is involved across the whole app.&quot;<p>It&#x27;s pretty common to send and receive API requests in clear text, since the encryption for this part should be handled by HTTPS. But you&#x27;re right, this app only uses HTTP

Another similar privacy leak affecting children on the VTech website a few months ago:<p><a href="http:&#x2F;&#x2F;www.troyhunt.com&#x2F;2015&#x2F;11&#x2F;when-children-are-breached-inside.html" rel="nofollow">http:&#x2F;&#x2F;www.troyhunt.com&#x2F;2015&#x2F;11&#x2F;when-children-are-breached-i...</a>

I wish the author would have listed the types of issues at work here.<p>Privacy violation is the result of a few types of issues including JSON injection and horizontal privilege (maybe vertical) escalation.<p>Also, providing fixes could help lend a hand to developers, both the creators and readers of this post.<p>Please don&#x27;t take this post as negative, it&#x27;s a very nice finding which I&#x27;m glad is public to the point of helping our user information become safer, and for that I thank you author.