In the NQ Contacts Backup & Restore application 1.1 for Android, no HTTPS is used for transmitting login and synced user data. When logging in, the username is transmitted in cleartext along with an SHA-1 hash of the password. The attacker can either crack this hash or use it for further attacks where only the hash value is required.
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Contacts_backup_&_restore | Nq | 1.1 (including) | 1.1 (including) |