Pageviews

Sunday, 16 September 2018

The Secrets of Tez

Hi Internet,

Summary: The Google Pay (Tez) apps leaks end users email address, this issue was marked as WONTFIX by google.
Img Src: https://www.kisspng.com/png-tez-unified-payments-interface-google-apps-701156/preview.html

You might be aware of different technique for extracting email from LinkedIn similarly Tez app allow you to do so.

Steps to reproduce:
1. Open Tez,
2. Click on New,
3. You will see "Google Pay Connections",
4. Click on any one contact.
5. Their respective email address will be displayed.


In this case, I have never had email of "Ajay" I just had his contact saved. However in the similar fashion, I can view email address of  all the people in my contacts if they are on Tez. However it is not necessary to initiate the payment to get his/her email you can simply view it. (If user is already added in contact).

This issue was submitted to google but was marked WONTFIX, google says "Thanks for report! We think the issue might not be severe enough for us to track it as a security bug."

This is not such great bug but, such data can be use in OSINT to perform targeted attack on victim, hope you like the read.

Regards

No comments:

Post a Comment