| Title | Meesho Android Application 27.3 Cryptographic Issue / Improper Encryption |
|---|
| Description | The Meesho Android application implements a custom cryptographic mechanism to protect sensitive user data during network communication. However, this implementation contains multiple security weaknesses that undermine both the confidentiality and integrity of the encrypted data.
The application uses the `AES/CBC/PKCS5Padding` encryption mode to encrypt request payloads, while deriving the encryption key using the deprecated and insecure **MD5 hashing algorithm**. The key derivation process lacks salting and iteration, making it predictable and vulnerable to brute-force or precomputation attacks.
Furthermore, the encrypted payload is constructed by concatenating the Base64-encoded Initialization Vector (IV) and ciphertext using a delimiter (e.g., `IV.ciphertext`). Critically, the implementation does not include any form of integrity protection such as a Message Authentication Code (HMAC) or an authenticated encryption mode (e.g., AES-GCM).
Due to the absence of integrity verification, an attacker with the ability to intercept and modify network traffic can tamper with the ciphertext without detection. This may lead to unauthorized modification of sensitive request parameters. Additionally, if the backend system exposes different error responses during decryption, the implementation may be vulnerable to a **padding oracle attack**, potentially allowing an attacker to decrypt sensitive data or forge valid encrypted messages.
This insecure cryptographic design violates established security best practices, including OWASP Mobile Top 10 (M5: Insufficient Cryptography) and MASVS guidelines (MSTG-CRYPTO-3 and MSTG-CRYPTO-4).
---
|
|---|
| Source | ⚠️ https://github.com/honestcorrupt/MEESHO-CVE |
|---|
| User | honest_corrupt (UID 85229) |
|---|
| Submission | 03/30/2026 09:21 (8 days ago) |
|---|
| Moderation | 04/06/2026 12:00 (7 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355509 [Meesho Online Shopping App up to 27.3 on Android com.meesho.supply /api/endpoint risky encryption] |
|---|
| Points | 20 |
|---|