CVE-2019-17394
📋 TL;DR
The Seesaw Parent and Family Android app version 6.2.5 stores authentication credentials (username and password) in system logs during login. This allows attackers with physical access or malware on the device to extract credentials via logcat. All users of the vulnerable app version are affected.
💻 Affected Systems
- Seesaw Parent and Family
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to user accounts, potentially compromising sensitive parent/student information, communication history, and enabling account takeover.
Likely Case
Malicious apps or users with physical access extract credentials from device logs, leading to unauthorized account access and potential data exposure.
If Mitigated
With proper logging controls and app sandboxing, credential exposure is limited, though still present in system logs.
🎯 Exploit Status
Exploitation requires access to device logs via logcat, which can be achieved through physical access, malware, or debugging tools. No authentication bypass needed once logs are accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 6.2.5
Vendor Advisory: https://pastebin.com/h8v0qxZH
Restart Required: No
Instructions:
1. Open Google Play Store 2. Search for Seesaw Parent and Family 3. Update to latest version 4. Verify version is above 6.2.5
🔧 Temporary Workarounds
Disable Debug Logging
androidPrevent credential logging by disabling debug logging in the app or system
adb shell setprop log.tag.Seesaw DEBUG
Configure app to not log sensitive data
Restrict Log Access
androidLimit access to logcat on Android devices
adb shell pm deny com.android.shell android.permission.READ_LOGS
Use device management policies to restrict log access
🧯 If You Can't Patch
- Uninstall the vulnerable app version and use web interface instead
- Implement mobile device management (MDM) to restrict log access and monitor for credential extraction attempts
🔍 How to Verify
Check if Vulnerable:
1. Install app version 6.2.5 2. Authenticate 3. Run: adb logcat | grep -i 'username\|password\|auth' 4. Check if credentials appear in logsCheck Version:
adb shell dumpsys package com.seesaw.parents | grep versionNameVerify Fix Applied:
1. Update to latest version 2. Repeat authentication 3. Verify no credentials appear in logcat output📡 Detection & Monitoring
Log Indicators:
- Username and password strings in Android logcat
- Seesaw authentication logs containing credential data
Network Indicators:
- Unusual authentication patterns from same device
- Multiple failed logins followed by success
SIEM Query:
source="android_logs" AND ("username" OR "password") AND app="Seesaw Parent"