lcimeni / tiktok-ios

0 stars 0 forks source link

NowSecure dynamic analysis: Sensitive Data Leaked Via User Interface #97

Open lcimeni opened 2 years ago

lcimeni commented 2 years ago

Finding Description

The app was found to be displaying sensitive information on the screen. A malicious actor who can see the screen would then have the sensitive data. Attacks can also possibly access the data through screen captures taken by the OS or the user.

Steps to Reproduce

The app is observed while running on a device and any text entry fields are checked to ensure that they are hiding sensitive information - in this case, the user's password - by using secureTextEntry.

Business Impact

The app was found to be displaying sensitive information on the screen. A malicious actor who can see the screen would then have the sensitive data.

Remediation Resources

Change the text fields in question to secure text fields by setting the secureTextEntry attribute to true. Informations and code snippets can be found on Apple's website.

Risk and Regulatory Information

Severity: low CVSS: 3.2

Application

See more detail in the NowSecure Report