Skip to content

Unrewarded Vulnerability in Android: The Risks of Ignoring FLAG_SECURE in Testing

Original Post: Unrewarded Vulnerability : Android Testing — Missing FLAG_SECURE | by cyberOjas | Sep, 2024

Ojas, an application penetration tester, discovered a significant security issue in an Android Ecommerce application during a private bug bounty program on Bugcrowd. He found that the password entered on the login screen was visible in the app preview when sent to the background, posing a user privacy risk due to the lack of the FLAG_SECURE Android flag. This flag prevents the system from displaying sensitive content in screenshots, app previews, and screen recordings. Although the program acknowledged the issue as P4 priority and awarded him 5 points, they did not provide a bounty due to a policy change. Ojas notes that such issues are often accepted in penetration testing reports but not always rewarded in bug bounty programs, despite their importance in safeguarding user data.

Go here to read the Original Post

Leave a Reply

Your email address will not be published. Required fields are marked *