إرسال #838880: Chess.com Chess - Play and Learn (Android) 4.9.42 Information Disclosureالمعلومات

عنوانChess.com Chess - Play and Learn (Android) 4.9.42 Information Disclosure
الوصفA vulnerability in the Chess.com Android application (com.chess) allows a local attacker with physical device access and USB debugging enabled to extract sensitive authentication data via ADB backup. The application sets android:allowBackup="true" in AndroidManifest.xml without backup exclusion rules, permitting full data directory extraction without root access. A Google OAuth ID Token (JWT) is stored in plaintext within shared_preferences/ com.chess.app.login_credentials.xml. The extracted token exposes verified user identity claims including email address, full name, profile picture URL, and Google subject identifier (sub). CWE-312/CWE-530/CWE-922.
المصدر⚠️ https://github.com/honestcorrupt/CHESS.COM-CVE-REQUEST
المستخدم honest_corrupt (UID 85229)
ارسال27/05/2026 03:29 PM (2 أشهر منذ)
الاعتدال28/06/2026 08:41 AM (1 month later)
الحالةتمت الموافقة
إدخال VulDB374522 [Chess Play and Learn App حتى 4.9.42 على Android com.chess AndroidManifest.xml الكشف عن المعلومات]
النقاط20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!