GolfQuis: a golfing iOS game built by Boolex that leaks passwords  

I was looking for a company to help me build a small prototype for an idea I had for a mobile application. So to find a company I asked around, and someone mentioned the company Boolex. I naturally wanted to check out the quality of their work before going any further.

They didn’t list any references, which was the first warning sign, but upon contact they mentioned they created the game GolfQuis for iOS.

screenie_1451411562_419648.png

My first tool of choice is usually mitmproxy, a Python application that can run as a proxy; it lets me inspect the traffic made by whichever clients that connect.
To run it, you first need to get your computer and your device on the same network, then run mitmproxy -p 4242, and point the device to use the proxy with the IP of your computer, with the port of 4242.

I downloaded GolfQuis and listened in on the traffic. First, I created a user, and my username and password was sent to the backend over pure http. After that, I clicked the “Topscore” button, and a GET-request was made to http://www.golfquis.com/golfadmin/public/ajax/top-players. When I inspected the JSON response I saw a list of users with their password in clear text:


[
{
"id": 69,
"name": "Tim Hansen",
"email": "redacted1@gmail.com",
"password": "redacted",
"rounds": 153,
"score": 3.8,
"rank_this_month": 0,
"rank_last_month": 0,
"rank_update_date": "0000-00-00",
"created_at": "2015-12-07 22:14:35",
"updated_at": "2015-12-26 22:27:35"
},
{
"id": 33,
"name": "Heidi Hansen",
"email": "redacted2@hotmail.com",
"password": "redacted",
"rounds": 56,
"score": 8,
"rank_this_month": 1,
"rank_last_month": 0,
"rank_update_date": "2015-12-01",
"created_at": "2015-11-24 09:26:15",
"updated_at": "2015-12-01 06:00:07"
},
(...)
]

(This is of course not real data, but made up)

Lessons to learn #

Other projects from Boolex #

Boolex also builds a security product, Vassec.com, a service that claims to “protect your websites and servers”. Yeah, let that sink in for a while.

T5wNFRy3WzoJb11-800.jpg

So the hunt for a developer to help me with my ideas continues :)

Interaction with the company #

29. december 2015 - I contact a Boolex-founder on Facebook about my findings. He tells me that the developer isn’t working for them anymore, and I tell him that a quickfix might just be removing the passwords from the endpoint. He says that a quickfix isn’t possible.

4. January 2016 - I notice that the passwords are now removed from the endpoint, but it is still leaking email addresses on all users, another message is sent.

9. May 2016 - The endpoint continues to leak e-mail addresses.

 
13
Kudos
 
13
Kudos

Now read this

Tsohost.com stores passwords in cleartext

Okay, it is 2015, we all know that is it a horrendously bad idea to store passwords in cleartext. Yet, when I log in to Tsohost’s interface I am greeted with this: Ugh! So either they store one version of the password in cleartext, and... Continue →