|
|
|
|
|
|
by jeroenhd
1219 days ago
|
|
|
As usual, a simple MitM can accomplish more than you'd expect. Together with a simple Frida script, you can easily intercept traffic for apps with certificate pinning as well; there's no quick fix for a vulnerability like this. You can't trust data from computers you don't own. Looking at the source code snippet posted, this library simply sends a "score" variable over a POST request and the server just seems to accept it as the real score; that's fine for keeping user-specific high scores, but as soon as you use that data together with any other account, you're going to have a bad time. This reminds me of the Hive Social security vulnerability (forgetting to implement ACLs on any of their endpoints and doing all the security checks client side). |
|
|