Security News > 2022 > February > Zenly Social-Media App Bugs Allow Account Takeover
Zenly, a social app from Snap that allows users to see the locations of friends and family on a live map, contains a pair of vulnerabilities that could endanger those being tracked.
"When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not," explained the researchers, in a Thursday posting.
Obtaining usernames is easier than it might be, they added, since Zenly exposes an "Exhaustive list of friends of a user."
"This friend invitation will trigger a request to the /FriendRequestCreate endpoint, whose response contains specific information regarding both our user and the target user," they added.
A successful exploit would allow an attacker to access a user's location, notifications, conversations and friends' information just like the legitimate user could.
After the SMS message is sent to the user, the app calls the /SessionVerify endpoint with both the session token and the verification code received by SMS. An attacker can abuse the /SessionCreate endpoint to steal session tokens, the researchers explained: "Once the legitimate user validates the SMS code for that session token, the session will become valid for both the legitimate user and the attackerThis means that the attacker now has a valid session for the account of the legitimate user, even though the attacker never knew the verification code."