😁Vulnerability #1: Insecure Logging

Reviewing the source code of com.insecureshop.LoginActivity shows that the username and password values that we provide are being leaked into logcat.

This is only a low-severity vulnerability since only physical attackers could access the device logs. For the POC, we need to input some dummy values then grep logcat for the userName or password keys:

After the credentials have been logged, we enter the following if block on line 44 which first calls Util.INSTANCE.verifyUsernamepassword() with the credentials that we provide and uses the Boolean return value for the check.