CVE-2019-17355 – The Orbitz Android app version 19.31.1 stores a... (How to Fix)

📋 TL;DR

The Orbitz Android app version 19.31.1 stores authentication credentials in system logs during login, exposing usernames and passwords to attackers who can access logcat. This affects all users of the vulnerable Android application version. Attackers with physical access or malware on the device can extract credentials from logs.

💻 Affected Systems

Products:

Orbitz - Flights, Hotels, Cars

Versions: 19.31.1

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Android version of the Orbitz application. Requires app to be installed and authentication to occur.

📦 What is this software?

Orbitz by Orbitz

View all CVEs affecting Orbitz →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to user accounts, leading to identity theft, financial fraud, unauthorized bookings, and exposure of personal information including payment details.

🟠

Likely Case

Local malware or users with physical access extract credentials from logs, compromising individual user accounts for unauthorized access or credential reuse attacks.

🟢

If Mitigated

With proper logging controls and credential masking, the exposure is limited to debug environments only, preventing production credential leakage.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to device logs via ADB, malware, or physical access. No authentication bypass needed once logs are accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 19.31.1

Vendor Advisory: https://pastebin.com/GgpFz3ZW

Restart Required: Yes

Instructions:

1. Update Orbitz app via Google Play Store
2. Uninstall vulnerable version 19.31.1
3. Install latest version from official store
4. Restart device after installation

🔧 Temporary Workarounds

Disable Debug Logging

android

Prevent app from writing sensitive data to logs by disabling debug logging in production builds

adb shell setprop log.tag.Orbitz DEBUG
Modify app build.gradle: buildConfigField 'boolean', 'ENABLE_LOGGING', 'false'

Credential Masking

android

Implement credential masking in logging statements to prevent plaintext storage

Implement Log.d(TAG, "Auth attempt for: " + maskCredentials(username, password))

🧯 If You Can't Patch

Uninstall vulnerable Orbitz app version 19.31.1 immediately
Use web version of Orbitz instead of mobile app until patched
Enable device encryption and strong authentication on Android device
Monitor for suspicious account activity and change passwords regularly

🔍 How to Verify

Check if Vulnerable:

1. Install Orbitz 19.31.1 on Android device
2. Run: adb logcat | grep -i orbitz
3. Attempt login and check if credentials appear in logs

Check Version:

adb shell dumpsys package com.orbitz.android | grep versionName

Verify Fix Applied:

1. Update to latest Orbitz version
2. Repeat login process
3. Verify no credentials appear in adb logcat output

📡 Detection & Monitoring

Log Indicators:

Plaintext usernames/passwords in Android logcat
Orbitz authentication logs containing credential patterns

Network Indicators:

Unusual login locations/times for Orbitz accounts
Multiple failed login attempts followed by success

SIEM Query:

source="android_logs" AND ("password" OR "username") AND "Orbitz"

📊 Metadata

CVE ID: CVE-2019-17355

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-532

Published: October 15, 2019

Last Updated: November 21, 2024

🔗 References

https://pastebin.com/GgpFz3ZW Exploit,Third Party Advisory
https://pastebin.com/GgpFz3ZW Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17355, you might also want to check these: