{"published": "2016-04-01T10:01:31", "id": "HACKAPP:COM.TREEMENGAMES.PAKO.APK", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "882093bae25cfd0869c5fbd175a3b5318ddf82f8783f9bdfdd24d7119aa0d364", "description": "HackApp vulnerability scanner discovered that application Pako - Car Chase Simulator published at the 'play' market has multiple vulnerabilities.", "type": "hackapp", "lastseen": "2016-09-26T20:43:28", "edition": 1, "hackapp": {"version": "1.0.3.6", "store": "play", "release": "2015-12-29T00:00:00", "apk": "COM.TREEMENGAMES.PAKO.APK", "name": "Pako - Car Chase Simulator", "icon": "http://lh4.ggpht.com/WsCUbrymL__LazQG2SjWTzXMlBUjdEggCInE1oz31w3rDu5K7xye3AaFY_wY2Fl2IUY=w300", "link": "https://play.google.com/store/apps/details?id=com.treemengames.pako&hl=en", "vendor": "Tree Men Games", "bugs": [{"name": "Base64 encoded String", "id": "b5e9339be3eca506052824711c2ce270", "severity": "critical", "description": "Base64 encoded string could include authentication credentials."}, {"name": "SD-card access", "id": "08cd78e8c9401ddea4e2e2550dc292c0", "severity": "medium", "description": "SD-cards and other external storages have 'worldwide read' policy."}, {"name": "WebView JavaScript enabled", "id": "f68b0a322051a1332e5c997da7b14ed1", "severity": "medium", "description": "WebView 'setJavaScriptEnabled(true)' could be exploited during cross-site scripting attacks."}, {"name": "WebView files access", "id": "4130313a9dfbf5c236b42a4ed58c1282", "severity": "medium", "description": "Control of WebView context allows to access local files.\n\t\t\t"}, {"name": "External URLs", "id": "c773a1b36268ba3f686239c3fcd03f85", "severity": "notice", "description": "Were do they point?"}, {"name": "Unsafe deleting", "id": "9a0bdbf22327d134bb61da01b8197092", "severity": "notice", "description": "All items deleted with 'file.delete()' could be recovered."}, {"name": "WebView code execution", "id": "2f8e06294d9736d59b8642520e5420aa", "severity": "critical", "description": "WebView 'addJavascriptInterface' could be used to control the host app with JavaScript bindings. Remote Code Execution (RCE) is possible."}, {"name": "Suspicious files", "id": "03e01dff9bab882699bc76738d08455e", "severity": "notice", "description": "Are you sure these files should be here?"}, {"name": "Dynamic Code Loading", "id": "216a2f0eccbdb55f32c2205e6ec2bd8c", "severity": "medium", "description": "Code for 'DexClassLoader' could be tampered."}]}, "title": "Pako - Car Chase Simulator - Base64 encoded String, WebView code execution vulnerabilities", "href": "https://hackapp.com/report/3f3d559b2af42af83ec2f52de1199b16", "modified": "2016-04-01T10:01:31", "bulletinFamily": "software", "viewCount": 1, "cvelist": [], "affectedSoftware": [{"version": "1.0.3.6", "name": "Pako - Car Chase Simulator", "operator": "le"}], "references": ["https://play.google.com/store/apps/details?id=com.treemengames.pako&hl=en"], "reporter": "Hackapp.org", "hashmap": [{"hash": "d83b0dab84c195ce527f928aa2e147ac", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "d4be9c4fc84262b4f39f89565918568f", "key": "cvss"}, {"hash": "6b9341ca4a7b665a6a16c39ab0341264", "key": "description"}, {"hash": "6db7ac68814e14c83337fbda22c0c924", "key": "hackapp"}, {"hash": "ffc4e5f06fd344e7224e596246e51d5c", "key": "href"}, {"hash": "11d5dfa940fc082585dfe338de239369", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "11d5dfa940fc082585dfe338de239369", "key": "published"}, {"hash": "365f23c73c9a953e7045873aa6692780", "key": "references"}, {"hash": "3b012aae1848bb95fe11f3cebae83cb0", "key": "reporter"}, {"hash": "636398cb598712cd0aabb11376d902f3", "key": "title"}, {"hash": "96e87ef1fcc8d9d3cdd337488987c423", "key": "type"}, {"hash": "cfcd208495d565ef66e7dff9f98764da", "key": "viewCount"}], "objectVersion": "1.2"}

{"result": {}}