Zenly Social-Media App Bugs Allow Account Takeover

Zenly, a social app from Snap that allows users to see the locations of friends and family on a live map, contains a pair of vulnerabilities that could endanger those being tracked. According to the Checkmarx Security Research Team, the bugs are a user-data exposure vulnerability and an...

Zenly: Account Takeover via SMS Authentication Flow

Summary: During the authentication flow, an SMS is sent to the user in order to validate the session and proceed to the user account. The way Zenly API handles this flow is by: 1. Calling the /SessionCreate endpoint with the mobile phone number of the user. 2. A session for the user is created an...

Zenly: Google Maps API key stored as plain text leading to DOS and financial damage

The researcher highlighted the fact that the Google Maps API key which is by design easily retrievable from the .apk was missing some restrictions. It then could be used by anyone to query the Google Static Map API, and possibly lead to financial damage. Resolved by enforcing missing restrictions...

Zenly Locator - Realtime GPS - Customized SSL, Dangerous filesystem permissions, Exported ContentProvider vulnerabilities

HackApp vulnerability scanner discovered that application Zenly Locator - Realtime GPS published at the 'play' market has multiple vulnerabilities...