Hi, I’m Ojas, an application penetration tester. While participating in a private bug bounty program on Bugcrowd , I came across a significant issue in there Android Ecommerce application during my security assessment.
Description of the Bug
During my testing, I observed that sensitive information, specifically the password entered on the login screen, was visible in the app preview when the app was sent to the background. This means that the password could be viewed by anyone accessing the recent apps screen, posing a serious risk to user privacy. Sensitive information like passwords should never be exposed outside the app’s secured environment. this issue arises just because of lack of FLAG_SECURE
I am showing that how Application show sensitive Information in App Preview in Demo app :
What is FLAG_SECURE
FLAG_SECURE
is a flag in Android that developers can set to protect sensitive content from being exposed in certain situations, such as screenshots, app previews (recent apps screen), and screen recording. When the flag is enabled for a window in an Android application, it prevents the system from showing the content of that window.
Outcome
Upon reporting the vulnerability, the program acknowledged the issue and classified it as a P4 priority. Although the program awarded me 5 points for the submission, they have stopped rewarding P4-level vulnerabilities due to a recent policy change, so no bounty was provided. However, addressing this issue is critical for safeguarding user data and maintaining trust in the application.
Actual Priority Of this Bug is P5 According to Bugcrowd VRT :
This type of issue is typically accepted in penetration testing reports but not always in bug bounty programs, as some consider it lower risk. However, some programs do reward these bugs in bug bounties, recognizing the importance of protecting sensitive information in app previews.
Thanks