The vulnerability in the Zenly social media allows account hijacking

Social application from Snap allows users to see locations and found bugs that lead to account takeover

Account takeover could be possible if two flaws in Zenly app get exploited

A few security vulnerabilities got discovered in the Zenly social application that is used for tracking. Bugs lead to phone number reveals and allow attackers to take over the accounts.^[1] People use the app to see locations of friends and family on the live map, so these vulnerabilities can endanger people due to the tracking function.^[2]

These vulnerabilities are user data exposure bug and account takeover flaw. These vulnerabilities have been patched^[3] The upgrading of the app is crucial. Getting the latest version of the application can avoid the compromise of the account. This is a serious issue and can have major consequences since the attack is possible and might happen quickly, silently.

Zenly had been investigating these reports on these vulnerabilities and took needed steps to stop the risk that users might be exposed to. Officials thanked the Checkmarx team and fixed the issues before they create a major impact on the Zenly user experience.

Medium severity bugs leading to the personal data reveal

One of the bugs can reveal the phone numbers of users. It happens when the friend request is submitted, and the app allows access to the phone number without considering whether the request was accepted or not. The threat actors only need to know the usernames of people, and they can collect numbers belonging to anyone. However, getting usernames is exceptionally easy. Zenly allows seeing lists of friends of the particular user.

As for the more targeted attacks,^[4] researchers have information about these techniques too. It is possible to search for the particular person related to the targeted company, get their social media account username on other platforms and try those on Zelny. Various people who are involved in marketing or communications are using these platforms and can be easier targets.

Accessing the account of any employee can potentially lead threat actors to the CEO or other more important figures in the company via the social application. Retrieving the phone number is easy from there, by exploiting the vulnerability. There are many things criminals can do with the obtained phone number of a serious person. Spear phishing^[5] attacks and direct scams can trigger the chain of attacks against a particular company, sector, or industry.

User account takeover

Another vulnerability reported to the social app developers was related to the way the Zenly API handles the session authentication. SessionCreate endpoint creates the session token and sends the SMS verification code to the user via phone number. The session token and the verification code received via SMS get obtained, and the session gets verified and the user logged in. Attackers can abuse the SessionCreate endpoint and hijack the account easily.

The main point of this issue is that the attacker needs to obtain a session token before the legitimate user calls the /SessionVerify endpoint. This can be done either before or after the legitimate user calls the /SessionCreate endpoint.

It is not the easiest thing to achieve, so the vulnerability receives a CVSS score of 4.7. Threat actors should know the mobile of the target and know the exact time of the login from victim's end. For authentication to work criminals would need to sign up, register a new device. It is a bit more difficult to exploit and successfully attack people, but it is great that developers reacted as soon as they did and that the app got patched.