CVE-2018-13342
📋 TL;DR
CVE-2018-13342 is a critical vulnerability in the Anda public transportation app for Porto, Portugal, where the server API uses hardcoded credentials. This allows attackers to bypass authentication and access sensitive user data and backend systems. Anyone using the vulnerable version of the Anda app is affected.
💻 Affected Systems
- Anda public transportation app
📦 What is this software?
Anda by Linhandante
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the backend server, allowing attackers to access all user data (personal information, payment details, travel history), manipulate transportation data, or disrupt service operations.
Likely Case
Unauthorized access to user accounts, theft of personal data, and potential manipulation of app functionality like ticket purchases or route information.
If Mitigated
Limited impact if proper network segmentation, credential rotation, and monitoring are in place, though the hardcoded credentials remain a persistent risk.
🎯 Exploit Status
Exploitation is straightforward as it involves using publicly disclosed hardcoded credentials to access the API without authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version, but fixed after disclosure in 2018
Vendor Advisory: Not publicly available
Restart Required: No
Instructions:
1. Update the Anda app to the latest version from official app stores. 2. Ensure the backend server has been patched by the vendor to remove hardcoded credentials and implement proper authentication.
🔧 Temporary Workarounds
Network segmentation and access control
allRestrict network access to the API server to only trusted IPs or networks to reduce exposure.
Credential rotation and monitoring
allIf patching is delayed, rotate any hardcoded credentials and monitor for unauthorized access attempts.
🧯 If You Can't Patch
- Implement strict network firewalls to block all external access to the vulnerable API endpoints.
- Deploy intrusion detection systems (IDS) to monitor for credential misuse and alert on suspicious API activity.
🔍 How to Verify
Check if Vulnerable:
Attempt to access the Anda server API using the disclosed hardcoded credentials (e.g., via curl or a similar tool) to see if authentication is bypassed.Check Version:
On mobile devices, check app version in settings: Android: Settings > Apps > Anda > App info; iOS: Settings > Anda > Version.Verify Fix Applied:
Test the API with the same credentials; access should be denied with proper authentication required. Check that the app version is updated and backend responses indicate secure authentication.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts with hardcoded credentials
- Unusual API access patterns from unexpected IPs
- High volume of requests to sensitive endpoints
Network Indicators:
- Traffic to the Anda API server using known hardcoded credentials in requests
- Unencrypted or suspicious API calls from unauthorized sources
SIEM Query:
Example: search for 'Anda API' AND (credential='hardcoded_value' OR auth_failure) in server logs over a time window.