In the βNQ Contacts Backup & Restoreβ application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.
CPE | Name | Operator | Version |
---|---|---|---|
contacts_backup_\\&_restore | eq | 1.1 |