Zenly Social-Media App Bugs Allow Account Takeover

A pair of bugs in the Snap-owned tracking app reveal phone numbers and allow account hijacking.

Zenly, a social app from Snap that allows users to see the locations of friends and family on a live map, contains a pair of vulnerabilities that could endanger those being tracked.

According to the Checkmarx Security Research Team, the bugs are a user-data exposure vulnerability and an account-takeover vulnerability. Both have been patched, and users should upgrade their apps to the latest version to avoid compromise.

Phone-Number Reveal

The first bug is a medium-severity problem that reveals the phone numbers of users.

“When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not,” explained the researchers, in a Thursday posting. “To obtain this information, a malicious actor only needs to know their username.”

Obtaining usernames is easier than it might be, they added, since Zenly exposes an “exhaustive list of friends of a user.”

As for how an attack might play out in practice, Checkmarx offered a hypothetical of a cyberattacker targeting a CEO.

Steps in the kill chain would include the

Read More: https://threatpost.com/zenly-bugs-account-takeover/178646/