around the world

The Burger King application records the user’s screen and bank card details

Hello! I’m 18 and in my free time I pick different applications.

Today hands have reached the raspiarennogo application “Burger King” – the very one where the “burger is free” and promotional codes for friends. So, I open the application on my iPhone, watch the traffic. And I find it.

From the top – an application request to the server, from the bottom – the server’s response to the application

This is a request from the application to the server with info such as its version, phone model, start time, display resolution. It seems that everything is okay, right? But in response to the phone arrives information on how to record video from the screen.

The MaxVideoLength parameter (maximum video length) is specified as “0”, which means infinite recording when the application is running. That is, the application does not just record the screen, but does it all the time. And exactly the same way constantly sends the record to the server.

The screen recording is sent to the server. On the left – requests for the application, on the right – a detailed view of the query

Pay attention to the address * / upload (about what AppSee is – in the end) to the left and the file * .mp4 on the right. All these squares are a raw video, which is sent to the server live. The screen is recorded even when you drive your bank card data into the application, which is necessary to complete the order.

Well, the final cherry: AppSee – this is a metric or statistics for applications. And dudes specialize in this kind of way to track the application for developers and marketers. Not only is it not cool to record a screen, so also not only the developers of the Burger King application have access to these videos, but also any ruffian like AppSee partners (that is, absolutely left people) , and AppSee itself too.

I will remind you that the video is recorded even when you enter your bank card details. And anyone has access to it.

That’s what the video itself looks like, or rather the frame from it.

Screenshot of the video extracted from the “Stream” on the AppSee server.

Also, the application does not have a so-called certificate pinning , which allows attackers to easily intercept your traffic using any certificate. And the application records touches to the screen and can compare them with the final video.

The original publication is posted on Pikabu. There appeared two people connected with Burger King, and immediately made a “revelation”, which I denied. The official community of the company in VKontakte is still silent and answers only questions about free stickers. ¯ \ _ (ツ) _ / ¯

Updated from the editorial office at 0:30 on July 12: we sent a request to the Burger King press service to find out how the company used this data and whether it plans to do so in the future.

Back to top button