StaySafe Philippines Contact Tracing Platform Vulnerability

Disclaimer: The purpose of this research is to improve and strengthen security all issues discovered in this research are reported to the security team. The researcher is not affiliated with any hacking groups. The researcher didn’t include the sensitive data in this write-up to reduce exposure to the vulnerability. The researcher follows the vulnerability disclosure policy.

Introduction

First of all, I would like to thank Jaypee Marquez, Art Samaniego Jr., and John Patrick Lita for helping me to reach out the StaySafe Security Team.

Okay let’s start the exploitation when the user’s go to StaySafe website user’s need to Create an Account or Log-In, I choose to Log In with my Facebook Account then after signing with my Facebook Account I noticed that it will redirect to Staysafe with this kind of endpoints.

Which is revealing my user access token in the web URL using this access token you can access the StaySafe user account.

Yes, I tested the user access token many times and I’m able to logged-In using it without email and password. The token can long to 24 hours before it’s will expired.

After getting my user access tokens I reversed the StaySafe PH application to find more valuable information that time StaySafe PH application was in the google play store it’s almost a million users downloaded but now if you check on the google play store, over 5m+ users that already downloaded.

I found a lot of information and also this interesting Staysafe URL with a parameter of token endpoints.

I added my user access token to the URL endpoints and open it here’s what I discovered.

To be honest, I don’t know what exactly is that but it’s like a Bluetooth tracer giving a user signal if the person nearby is (Probable, Suspect, Confirmed, Cleared, and Initial) of COVID-19 with color codings even the person you contact for a past day can still trace because the data organized by dates.

I look the web source codes if there was any information that can help me to keep digging and luckily I found the Staysafe main javascript source code then I extracted all endpoints from the file.

After the extraction of 20+ API endpoints that I discovered in the javascript file and these APIs, endpoints can be used to (reset a user’s password, verify user OTP, activate users account, deactivate users account, delete users account, disclosed users information and more.)

I found the web directory where the backend codes are disclosed and I’m able to edit some of the source codes.

Finally, I found the path of the Laravel Panel which disclosed both StaySafe web and mobile information including (Full Names, Email Addresses, Passwords, Company Names, Full Locations, Phone Numbers, One Time Pin (OTP), IP Addresses, and many more)

Disclosure Timeline

• March 22, 2021 — I emailed StaySafe regarding these security vulnerability issues on the same day I received a response from Staysafe requesting to send some security issues.
• March 23, 2021 — I forward my documentation on how I find the vulnerability issues and send some proof of concepts.
• March 25, 2021 — I emailed MultiSys Security Team and David Almirol the CEO and I received a reply from the Staysafe Team sir Derit Ginovin that they collaborate to patch the vulnerability.
• December 31, 2021 — Contact StaySafe with the help of sir. Art Samaniego Jr. for the updates.
• September 2, 2022 — Contact again with the help of sir. John Patrick Lita for the updates.
• September 5, 2022 — Vulnerability has been fixed.

Thanks for reading this article, I hope you guys learn something new today. Please share this article to spread the knowledge.

Don’t forget to follow and connect with me through LinkedIn, and Twitter.