CVE-2019-17397 – The DoorDash Android app versions through 11.5.... (How to Fix)

Q: What is the severity of CVE-2019-17397?

CVE-2019-17397 has a CVSS score of 9.8 (CRITICAL). The DoorDash Android app versions through 11.5.2 store authentication credentials in application logs, allowing attackers with physical access or malware to extract usernames and passwords via logcat. This affects all Android users of the vulnerable DoorDash app versions.

📋 TL;DR

The DoorDash Android app versions through 11.5.2 store authentication credentials in application logs, allowing attackers with physical access or malware to extract usernames and passwords via logcat. This affects all Android users of the vulnerable DoorDash app versions.

💻 Affected Systems

Products:

DoorDash

Versions: through 11.5.2

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Android version of DoorDash app. Requires app to be installed and used for authentication.

📦 What is this software?

Doordash by Doordash

View all CVEs affecting Doordash →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to user DoorDash accounts, enabling fraudulent orders, payment theft, and personal information exposure.

🟠

Likely Case

Malicious apps or users with physical device access extract credentials from logs, leading to account compromise and potential financial loss.

🟢

If Mitigated

With proper app sandboxing and log access restrictions, only privileged users or malware with specific permissions could access the credentials.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring access to the device's logs, not directly exploitable over the internet.

🏢 Internal Only: HIGH - Any malicious app or user with physical access to the device can potentially read the logs containing credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to device logs via logcat, which can be achieved through malicious apps or physical access. The pastebin references demonstrate the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 11.5.2

Vendor Advisory: Not publicly available

Restart Required: No

Instructions:

1. Update DoorDash app from Google Play Store to latest version. 2. Ensure auto-updates are enabled. 3. Verify app version is greater than 11.5.2.

🔧 Temporary Workarounds

Disable debug logging

android

Prevent credential logging by disabling debug features in app or system

adb shell setprop log.tag.DoorDash DEBUG
Disable USB debugging on device

Restrict log access

android

Use Android permissions to limit which apps can read system logs

Review app permissions and remove READ_LOGS from untrusted apps

🧯 If You Can't Patch

Uninstall vulnerable DoorDash app version and use web interface instead
Enable device encryption and strong lock screen to prevent physical access

🔍 How to Verify

Check if Vulnerable:

Install vulnerable version, authenticate, then run: adb logcat | grep -i doordash

Check Version:

Check app version in Android Settings > Apps > DoorDash

Verify Fix Applied:

Update app, authenticate, check logs for credentials using same command - should show no credentials

📡 Detection & Monitoring

Log Indicators:

Log entries containing 'password', 'username', 'auth', 'login' from DoorDash process

Network Indicators:

Unusual login locations or failed login attempts after credential exposure

SIEM Query:

process_name:"DoorDash" AND log_message:"password" OR log_message:"username"

📊 Metadata

CVE ID: CVE-2019-17397

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-532

Published: October 15, 2019

Last Updated: November 21, 2024

🔗 References

https://pastebin.com/hGg5efMe Exploit,Third Party Advisory
https://pastebin.com/hGg5efMe Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-17397, you might also want to check these: