During the Covid pandemic, every country has its own app or service to help track and monitor citizens for infection. And to prevent spread.
One of these was the Stay Safe app. Before being bought by the Philippine government, this was developed by a company called MultiSys. I have checked their website and that’s it. One thing I know is that their email doesn’t work.
I don’t have a Stay Safe account but one thing I know is that they were using a third-party called Uploadcare for handling the assets. What are these assets? These are the photos of every person in the Philippines who signed up and their government-issued IDS. And some other personal stuff like a selfie I guess. I know there’s a selfie because of a class named
Based on my analysis, this bug only exists in
v2.* and was fixed in
v3.*. Or removed.
The issue was rather simple and preventable. The developers hardcoded both private and public keys in the code to be used in the UploadCare API. You can see in the photo below, the variables
You only need these two keys to communicate with the UploadCare API. So anyone, who knows how to decompile an Android app, can retrieve all the data uploaded by every user.
By just calling the API URL
https://api.uploadcare.com with the HTTP Header
Uploadcare.Simple <UPLOAD_CARE_PUBLIC_KEY>:<UPLOAD_CARE_PRIVATE_KEY> you can communicate and retrieve all the data.
The code block below is confirmation that all you need are the two sets of keys.
This was very reckless for the developers and company. The app wasn’t obfuscated too. Let this be a lesson to not hardcode your keys in the code.