ZUS Coffee 安全测试报告

善意声明

作为一名怀着赤诚之心的安全研究员,我谨在此郑重声明:本次安全审计的唯一目的是帮助改进系统安全性,为保护用户数据安全尽一份力。报告中所有敏感信息均已进行脱敏处理,以防被不法分子利用。我始终秉持"善意披露、负责任报告"的原则,希望通过专业的漏洞发现和及时报告,协助开发团队尽快修复安全隐患。在此过程中,我严格遵守相关法律法规,绝无任何破坏或恶意利用的企图。

衷心期待通过白帽黑客与开发团队的良性互动,共同为企业的信息安全加固,为广大用户筑起更坚实的数据保护屏障。

严重性等级: CRITICAL (CVSS 8.9)

2025年3月26日 Flutter应用 高危漏洞

总体概述

Web应用安全性

经检测,ZUS Coffee Web部分整体防护措施较为完善,WAF、CloudFront、CORS配置及认证机制均运行正常,未发现明显漏洞,开发团队做得非常出色。

移动应用安全性

移动应用基于Flutter开发。通过APK反编译、提取libapp.so文件及字符串分析,我们发现了多个敏感API接口和硬编码敏感信息。这些信息一旦被滥用,可能导致API滥用、数据泄露、虚假推荐操控、会话劫持及推送通知滥用等风险。

漏洞影响链

数据泄露影响链示意图

Flutter应用源码分析

分析方法

使用自定义的Frida脚本(extract_functions_apk.js)对APK包中的libapp.so进行动态分析: 

Java.perform(function() {
    var libName = "libapp.so";
    var lib = Module.findBaseAddress(libName);

    if (lib) {
      console.log("[+] Found " + libName + " at " + lib);

      var exports = Module.enumerateExports(libName);
      exports.forEach(function(exp) {
        console.log(
          "[EXPORT] " + exp.type + " " + exp.name + " at " + exp.address
        );
      });

      var symbols = Module.enumerateSymbols(libName);
      symbols.forEach(function(sym) {
        console.log("[SYMBOL] " + sym.name + " at " + sym.address);
      });
    } else {
      console.log("[-] Library not found");
    }
  });

});

安全隐患分析

Source Files 
package:love_coffee/screens/home_loyalty_term_condition/components/loyalty_card.dart
package:love_coffee/providers/product_detail_provider.dart
package:love_coffee/screens/delete_account/delete_account.dart
package:love_coffee/screens/home_menu_main_v3/menu_page.dart
package:love_coffee/models/help_centre/help_search.dart
package:love_coffee/components/payment_details_field.dart
package:love_coffee/models/google_models/google_autocomplete.dart
package:love_coffee/screens/payment/payment_method_page.dart
package:love_coffee/components/message_border.dart
package:love_coffee/services/SharedPreference_tutorial.dart
package:love_coffee/shared_functions/badge_display.dart
package:love_coffee/services/SharedPreference_UUID.dart
package:love_coffee/screens/voucher/referee_perk_details.dart
package:love_coffee/extensions/ordinal_number.dart
package:love_coffee/screens/login_signup/components/phone_number_field.dart
package:love_coffee/providers/country_provider.dart
package:love_coffee/screens/help_centre/component/shimmer_loading.dart
package:love_coffee/models/balance_models/balance_type.dart
package:love_coffee/models/mission_models/mission.dart
package:love_coffee/models/tumbler_models/tumbler_catalogue.dart
package:love_coffee/models/voucher_models/voucher.dart
package:love_coffee/components/conditional_builder.dart
package:love_coffee/components/padded_pdf_table_row.dart
package:love_coffee/components/custom_badge.dart
package:love_coffee/components/countdown_timer_builder.dart
package:love_coffee/screens/home_order_details/components/payment_method_section.dart
package:love_coffee/shared_functions/share_dialog_logout.dart
package:love_coffee/screens/zus_balance/zus_balance_start.dart
package:love_coffee/screens/zus_balance/zus_balance_main.dart
package:love_coffee/global_variable/Global_variable.dart
package:love_coffee/models/product_models/product_category.dart
package:love_coffee/screens/help_centre/faq_category_page.dart
package:love_coffee/providers/help_centre_provider.dart
package:love_coffee/providers/home_provider.dart
package:love_coffee/screens/gift_card/gift_card_history_sent.dart
package:love_coffee/api/api_caller.dart
package:love_coffee/services/SharedPreference_rateOrderId.dart
package:love_coffee/screens/voucher/widgets/loyalty_voucher_item.dart
package:love_coffee/screens/delivery/screens/google_map_screen.dart
package:love_coffee/providers/login_provider.dart
package:love_coffee/screens/zus_balance/zus_balance_reload.dart
package:love_coffee/shared_functions/confirmation_dialogs.dart
package:love_coffee/models/user_models/user_registration.dart
package:love_coffee/screens/login_signup/components/country_prefix_dialog/country_prefix_search_bar.dart
package:love_coffee/managers/yellow_ai_manager.dart,
package:love_coffee/models/referral_models/referral_info.dart
package:love_coffee/components/custom_button.dart
package:love_coffee/components/shimmer_widget.dart
package:love_coffee/models/product_models/product_alternative.dart
package:love_coffee/screens/home_page_main/home_page_main.dart
package:love_coffee/services/SharedPreference_pickup.dart
package:love_coffee/models/loyalty_modals/loyalty_zus_point_history.dart
package:love_coffee/screens/home_menu_main_v3/components/product_search_delegate.dart
package:love_coffee/providers/balance_provider.dart
package:love_coffee/screens/zus_wrapped/pages/zus_wrapped_fourth_page.dart
package:love_coffee/screens/zus_balance/zus_balance_reload_gift_card.dart
package:love_coffee/models/store_models/store.dart
package:love_coffee/screens/mission_reward/redeem_reward_details.dart
package:love_coffee/components/payment_method_field.dart
package:love_coffee/screens/voucher/voucher_details.dart
package:love_coffee/models/get_HereMaps_result.dart
package:love_coffee/screens/checkout_processing/component/out_of_stock_nested_menu.dart
package:love_coffee/screens/sms_confirmation/component/otp_field.dart
package:love_coffee/screens/home_page_main/components/home_action_button.dart
package:love_coffee/shared_functions/navigation_helper.dart
package:love_coffee/screens/product_details/widgets/prdt_hot_ice_selection.dart
package:love_coffee/shared_functions/order_method_dialog.dart
package:love_coffee/shared_functions/payment_function.dart
package:love_coffee/services/SharedPreference_buy1free1banner.dart
package:love_coffee/components/custom_bottom_widget.dart
package:love_coffee/shared_functions/date_range_picker.dart
package:love_coffee/providers/zus_wrapped_provider.dart
package:love_coffee/components/transparent_route.dart
package:love_coffee/screens/user_profile_edit/profile_register_page.dart
package:love_coffee/screens/qr_code/qr_code_scan.dart
package:love_coffee/screens/home_loyalty_term_condition/loyalty_page.dart
package:love_coffee/screens/pickup/pickup_page.dart
package:love_coffee/providers/outlet_provider.dart
package:love_coffee/models/user_models/user_balance.dart
package:love_coffee/screens/user_profile/user_profile_main.dart
package:love_coffee/models/loyalty_modals/loyalty_info.dart
package:love_coffee/models/get_api_token.dart
package:love_coffee/models/mini_game.dart4
package:love_coffee/screens/gift_card/gift_card_history.dart
package:love_coffee/screens/mini_game/screens/mini_game_info.dart
package:love_coffee/models/referral_models/referee_perk.dart
package:love_coffee/managers/dynamic_link_manager.dart
package:love_coffee/providers/auth_provider.dart
package:love_coffee/shared_functions/custom_appbar.dart
package:love_coffee/models/store_models/store_condition.dart
package:love_coffee/screens/full_banner/full_banner_page.dart
package:love_coffee/screens/tutorial_screen/tutorial_main.dart
package:love_coffee/screens/product_details/widgets/product_ingredient_info.dart
package:love_coffee/models/order.dart
package:love_coffee/models/product_models/nutrition_facts.dart
package:love_coffee/screens/product_details/product_details.dart
package:love_coffee/services/SharedPreference_delivery_store.dart
package:love_coffee/screens/home_zus_points_transaction_history/zus_points_transaction_history_page.dart
package:love_coffee/screens/gift_card/gift_card_main_send.dart
package:love_coffee/models/root_product.dart
package:love_coffee/managers/molpay_manager.dart
package:love_coffee/services/firebase_analytics.dart
package:love_coffee/screens/checkout_processing/component/order_summary.dart
package:love_coffee/screens/pickup/component/pickup_shimmer_loading.dart
package:love_coffee/screens/voucher/partnership_voucher_details.dart
package:love_coffee/screens/product_details/widgets/product_upsells.dart
package:love_coffee/screens/order_feedback/order_feedback.dart
package:love_coffee/providers/banner_provider.dart
package:love_coffee/components/redeem_gift_card_overview.dart
package:love_coffee/screens/user_buy1free1_tutorial/buy_one_free_one_tutorial_page.dart
package:love_coffee/extensions/quick_action_shortcut.dart
package:love_coffee/models/balance_models/balance_redeem.dart
package:love_coffee/providers/bottom_navigation_provider.dart
package:love_coffee/screens/help_centre/component/search_bar.dart
package:love_coffee/models/country_models/country_list_option.dart
package:love_coffee/screens/mini_game/widgets/flipper.dart
package:love_coffee/services/SharedPreference_store.dart
package:love_coffee/shared_functions/shake_animation.dart
package:love_coffee/services/post_api_service.dart
package:love_coffee/providers/quick_action_provider.dart
package:love_coffee/screens/web_view/web_view_banner.dart
package:love_coffee/managers/one_signal_manager.dart
package:love_coffee/models/balance_models/balance_invoice.dart
package:love_coffee/services/SharedPreference_favoriteStore.dart
package:love_coffee/screens/voucher/widgets/referee_perk_item.dart
package:love_coffee/screens/delivery/components/delivery_search_bar.dart
package:love_coffee/shared_functions/bottom_sheet.dart
package:love_coffee/components/store_pinned_message_widget.dart
package:love_coffee/screens/home_page_main/components/merchandise_shimmer.dart
package:love_coffee/screens/country_detection/country_detection_page.dart
package:love_coffee/screens/voucher/widgets/partnership_voucher_item.dart
package:love_coffee/providers/reward_provider.dart
package:love_coffee/screens/login_signup/components/country_prefix_dialog/country_prefix_dialog.dart
package:love_coffee/screens/mini_game/screens/mini_game_main.dart
package:love_coffee/models/voucher_models/partnership_voucher.dart
package:love_coffee/models/molpay_models/molpay_result.dart
package:love_coffee/components/benefit_notice.dart
package:love_coffee/providers/day_night_provider.dart
package:love_coffee/screens/zus_balance/zus_balance_transaction_history.dart
package:love_coffee/models/user_models/user_loyalty.dart
package:love_coffee/screens/referral/referral_invite_history.dart
package:love_coffee/models/product_models/product_addon.dart
package:love_coffee/models/get_checkout_pay.dart
package:love_coffee/screens/pickup/pickup_state_outlets.dart
package:love_coffee/models/gift_card_models/gift_card_page.dart
package:love_coffee/screens/order/generate_order_receipt.dart
package:love_coffee/screens/mission_reward/mission_reward_main.dart
package:love_coffee/screens/pickup/pickup_nearby_outlets_hms.dart
package:love_coffee/models/checkout_models/checkout.dart
package:love_coffee/screens/mission_reward/mission_details.dart
package:love_coffee/extensions/duration_format.dart
package:love_coffee/screens/product_details/widgets/product_nutrition_info.dart
package:love_coffee/screens/referral/referral_qr.dart
package:love_coffee/screens/user_profile_edit/component/profile_field.dart
package:love_coffee/models/molpay_models/molpay_info.dart
package:love_coffee/screens/mini_game/screens/mini_game_history.dart
package:love_coffee/models/referral_models/referral_reward_table_row.dart
package:love_coffee/providers/referral_provider.dart
package:love_coffee/screens/home_page_main/components/home_floating_button.dart
package:love_coffee/services/Get_api_service.dart
package:love_coffee/screens/help_centre/faq_answer_page.dart
package:love_coffee/models/tumbler_models/tumbler_info.dart"
package:love_coffee/services/SharedPreference_DeliverType.dart
package:love_coffee/services/SharedPreference_Auth.dart
package:love_coffee/models/balance_models/balance_html.dart
package:love_coffee/screens/sms_confirmation/component/resend_code_option.dart
package:love_coffee/models/google_models/google_place_search.dart
package:love_coffee/screens/voucher/widgets/voucher_item.dart
package:love_coffee/models/conversation.dart
package:love_coffee/screens/delivery/screens/delivery_main.dart
package:love_coffee/models/system_init.dart
package:love_coffee/screens/mission_reward/reward_coming_soon.dart
package:love_coffee/constants/constants.dart
package:love_coffee/screens/delivery/components/bottom_address_display.dart
package:love_coffee/api/api_response.dart
package:love_coffee/screens/help_centre/component/search_result_container.dart
package:love_coffee/screens/home_navigation/home_navigation.dart
package:love_coffee/screens/login_signup/components/country_prefix_dialog/country_prefix_tile.dart
package:love_coffee/models/payment_details.dart
package:love_coffee/screens/mission_reward/redeem_reward_main.dart
package:love_coffee/screens/login_signup/components/received_via_button.dart
package:love_coffee/models/store_models/store_pinned_message.dart
package:love_coffee/providers/user_provider.dart
package:love_coffee/screens/splash_screen/splash_screen.dart
package:love_coffee/components/map_sheet.dart
package:love_coffee/components/custom_search_delegate.dart
package:love_coffee/models/user_models/user_tumbler.dart
package:love_coffee/screens/product_details/widgets/product_basic_info.dart
package:love_coffee/providers/schedule_provider.dart
package:love_coffee/screens/home_menu_checkout/menu_checkout_page.dart
package:love_coffee/models/live_chat.dart
package:love_coffee/models/balance_models/balance_campaign.dart
package:love_coffee/screens/mission_reward/redeem_partnership_details.dart
package:love_coffee/screens/tumbler/tumbler_main.dart
package:love_coffee/models/popups.dart
package:love_coffee/shared_functions/arrow_animation.dart
package:love_coffee/screens/select_country%20/select_country.dart
package:love_coffee/models/checkout_models/cart_item.dart
package:love_coffee/components/custom_drop_down.dart
package:love_coffee/models/delivery_models/delivery_rider.dart
package:love_coffee/screens/referral/referral_journey.dart
package:love_coffee/models/get_out_of_stock_product.dart
package:love_coffee/screens/settings/components/setting_tile.dart
package:love_coffee/providers/contact_provider.dart
package:love_coffee/helper/convert_type_helper.dart
package:love_coffee/models/loyalty_notify_message.dart
package:love_coffee/models/delivery_models/delivery_address.dart
package:love_coffee/models/gift_card_models/gift_card_create.dart
package:love_coffee/providers/event_provider.dart
package:love_coffee/screens/login_signup/components/auth_agreement_section.dart
package:love_coffee/shared_functions/route_animations.dart
package:love_coffee/models/product_models/product.dart
package:love_coffee/screens/pickup/component/outlet_item.dart
package:love_coffee/models/user_models/user.dart
package:love_coffee/services/Post_api_service.dart
package:love_coffee/screens/product_details/widgets/product_bundles.dart
package:love_coffee/models/product_models/product_ingredient.dart
package:love_coffee/screens/gift_card/widgets/redeemed_gift_card.dart
package:love_coffee/enums/day_night.dart
package:love_coffee/providers/product_provider.dart
package:love_coffee/screens/help_centre/help_centre_screen.dart
package:love_coffee/models/balance_models/balance_log.dart
package:love_coffee/providers/gift_card_provider.dart
package:love_coffee/screens/order/order_receipt_preview.dart
package:love_coffee/screens/home_loyalty_faq/loyalty_faq_page.dart
package:love_coffee/extensions/stable_sort_list.dart
package:love_coffee/providers/feedback_provider.dart
package:love_coffee/screens/home_page_main/components/home_order_feedback.dart
package:love_coffee/screens/mission_reward/reward_main.dart
package:love_coffee/screens/home_order_main/home_order_main.dart
package:love_coffee/models/referral_models/referee_onboard_info.dart
package:love_coffee/shared_functions/base_model.dart
package:love_coffee/models/product_models/order_product.dart
package:love_coffee/managers/cdp_manager.dart
package:love_coffee/shared_functions/custom_toast.dart
package:love_coffee/main.dart
package:love_coffee/screens/home_order_main/components/filter.dart
package:love_coffee/components/bouncing_widget.dart
package:love_coffee/screens/gift_card/gift_card_redeem_tab.dart
package:love_coffee/providers/checkout_provider.dart
package:love_coffee/models/referral_models/referee.dart
package:love_coffee/screens/settings/settings.dart
package:love_coffee/services/location_service.dart
package:love_coffee/screens/home_general_feedback/general_feedback_page.dart
package:love_coffee/screens/home_page_main/components/home_banner.dart
package:love_coffee/models/country_models/get_countries.dart
package:love_coffee/models/user_models/user_zus_points.dart
package:love_coffee/extensions/string_ext.dart
package:love_coffee/models/gift_card_models/gift_card_init.dart
package:love_coffee/models/balance_models/balance_details.dart
package:love_coffee/screens/user_profile_edit/component/birthday_bottom_sheet.dart
package:love_coffee/models/gift_card_models/gift_card_background.dart
package:love_coffee/models/checkout_processing.dart
package:love_coffee/providers/splash_provider.dart
package:love_coffee/screens/product_details/widgets/prdt_details_bottom_display.dart
package:love_coffee/api/api_response.g.dart
package:love_coffee/shared_functions/loading_dialog.dart
package:love_coffee/components/show_clear_cart_dialog.dart
package:love_coffee/components/html_page.dart
package:love_coffee/screens/product_details/widgets/prdt_preferrence_selection.dart
package:love_coffee/services/SharedPreference_store_dropdown_menu.dart
package:love_coffee/screens/home_order_details/home_order_details_page.dart
package:love_coffee/providers/global_provider.dart
package:love_coffee/screens/product_details/widgets/product_addons.dart
package:love_coffee/models/app_banner.dart
package:love_coffee/services/sp_service.dart
package:love_coffee/screens/mini_game/models/lucky_draw_model.dart
package:love_coffee/models/balance_models/balance_reload_ref.dart
package:love_coffee/services/SharedPreference_service.dart
package:love_coffee/screens/referral/referral_main.dart
package:love_coffee/screens/gift_card/gift_card_sent_details.dart
package:love_coffee/screens/home_order_main/components/order_list_shimmer.dart
package:love_coffee/models/outlet_state.dart
package:love_coffee/configs/size_config.dart
package:love_coffee/screens/gift_card/gift_card_purchase.dart
package:love_coffee/models/get_generalFeedbacktag.dart
package:love_coffee/screens/home_menu_checkout/components/schedule_time_dropdown.dart
package:love_coffee/providers/pickup_provider.dart
package:love_coffee/models/referral_models/referral_invite_history.dart
package:love_coffee/screens/mission_reward/mission_main.dart
package:love_coffee/screens/zus_balance/zus_balance_transaction_details.dart
package:love_coffee/screens/product_details/widgets/product_reviews.dart
package:love_coffee/utils/signup_util.dart
package:love_coffee/screens/pickup/pickup_nearby_outlets.dart
package:love_coffee/screens/gift_card/gift_card_main.dart
package:love_coffee/providers/order_provider.dart
package:love_coffee/models/payment_models/payment_channel.dart
package:love_coffee/shared_functions/customer_support_dialog.dart
package:love_coffee/models/product_models/product_review.dart
package:love_coffee/screens/home_order_main/components/order_item.dart
package:love_coffee/managers/live_chat_manager.dart
package:love_coffee/screens/setup_bio/setup_biometric_screen.dart
package:love_coffee/screens/home_page_main/components/home_shimmer_loading.dart
package:love_coffee/providers/delivery_provider.dart
package:love_coffee/models/gift_card_models/gift_card.dart
package:love_coffee/shared_functions/scheduling_time_func.dart
package:love_coffee/services/SharedPreference_Delivery.dart
package:love_coffee/screens/voucher/voucher_main.dart
package:love_coffee/services/SharedPreference_faq.dart
package:love_coffee/models/gift_card_models/gift_card_campaign.dart
package:love_coffee/components/custom_alert_dialog.dart
package:love_coffee/screens/home_menu_checkout/components/menu_checkout_item_shimmer.dart
package:love_coffee/models/product_models/product_pool.dart
package:love_coffee/screens/gift_card/gift_card_tnc.dart
package:love_coffee/screens/home_order_main/components/no_order.dart
package:love_coffee/screens/gift_card/gift_card_redeemed_details.dart
package:love_coffee/screens/zus_balance/zus_balance_term.dart
package:love_coffee/components/custom_error_message.dart
package:love_coffee/screens/pickup/component/pickup_location_button.dart
package:love_coffee/screens/delivery/screens/delivery_set_address.dart
package:love_coffee/managers/freshchat_manager.dart
package:love_coffee/managers/connectivity_manager.dart
package:love_coffee/shared_functions/url_launch.dart
package:love_coffee/screens/referral/referral_registration.dart
package:love_coffee/screens/voucher/voucher_checkout.dart
package:love_coffee/screens/checkout_processing/checkout_processing_page.dart
package:love_coffee/extensions/md5_hash.dart
package:love_coffee/models/feedback_models/order_feedback.dart
package:love_coffee/models/payment_models/payment_method.dart
package:love_coffee/screens/product_details/widgets/product_extra_note_info.dart
package:love_coffee/screens/sms_confirmation/sms_confirmation.dart
package:love_coffee/extensions/list_ext.dart
package:love_coffee/screens/zus_wrapped/pages/zus_wrapped_welcome.dart
package:love_coffee/models/merch.dart
package:love_coffee/theme/style.dart
package:love_coffee/screens/login_signup/login_signup.dart
package:love_coffee/screens/gift_card/gift_card_main_redeem.dart
package:love_coffee/screens/mission_reward/redeem_reward_faq_screen.dart
package:love_coffee/models/product_models/product_tag.dart
package:love_coffee/models/help_centre/faq.dart
package:love_coffee/screens/gift_card/gift_card_history_redeemed.dart
package:love_coffee/screens/help_centre/component/live_chat_button.dart*
package:love_coffee/screens/mini_game/widgets/mini_game_tnc.dart

测试方法与流程

移动应用测试方法

1. APK反编译与文件提取
  • 将APK转换为ZIP文件并解压
  • 提取libapp.so文件
2. 字符串提取与目录结构分析 
strings libapp.so | grep -i dart && strings libapp.so | grep -i "package:love_coffee" > output/zus_filtered_strings.txt
3. 敏感API路径搜索
v1接口搜索:
strings source/libapp.so | grep "/api/v1/"
v3接口搜索:
strings source/libapp.so | grep "/api/v3/"
余额相关接口
  • /api/v1/balance/history
  • /api/v1/balance/reload
  • /api/v1/balance/gift-card/update-gc
  • /api/v1/balance/gift-card/view-redeemed
  • /api/v1/balance/gift-card/view-sent
  • /api/v1/balance/gift-card/continue-payment
购物车与结账接口
  • /api/v1/cart/add
  • /api/v1/cart/clear
  • /api/v1/checkout
  • /api/v1/checkout/pay
  • /api/v1/checkout/update/payment_method
  • /api/v1/orders/continue_payment
用户与反馈接口
  • /api/v1/user/import-contact-v2
  • /api/v1/feedback/order_product/store
认证与地区接口 (v3)
  • /api/v3/auth/login
  • /api/v3/auth/register
  • /api/v3/auth/phone
  • /api/v3/user/switch_country
  • /api/v3/countries
4. 第三方服务与硬编码密钥提取 
<meta-data android:name="io.branch.sdk.BranchKey" 
    android:value="key_live_xxxxxxxxxxxxxxxx"/>

敏感数据汇总

类别 Key名称 Key (截断显示) 潜在风险
Google API Keys google_api_key AIzaSy..... API滥用、未经授权的数据访问、资源配额耗尽
Google App ID google_app_id 1:60847..... 第三方应用可能利用该ID进行未经授权的调用
Crash Reporting google_crash_reporting_api_key AIzaSy..... 可伪造崩溃报告,导致敏感数据泄露
Facebook App ID facebook_app_id 173173..... 可能用于伪造登录、滥用Facebook API
Facebook Client Token facebook_client_token c49338..... 会话劫持、滥用API接口
Firebase Database firebase_database_url https:api.z..... 若安全规则配置不当,可能导致数据未经授权的读取或写入
Google Storage google_storage_bucket zuscof..... 配置错误时可能导致敏感文件的上传或下载
GCM Sender ID gcm_defaultSenderId 608474..... 可能被用于未经授权地发送推送通知,导致骚扰或钓鱼攻击
Branch Key io.branch.sdk.BranchKey key_live_..... 可被利用来操控归因、制造虚假推荐,进而获得不正当奖励或访问敏感深链数据

风险评估与潜在攻击场景

潜在攻击场景

  • API滥用: 利用Google API Keys和Crash Reporting API Key发起大量未经授权的请求,耗尽服务配额或窃取敏感数据
  • 未经授权的数据访问: 通过Firebase Database URL读取或篡改用户订单、个人信息等,甚至导致数据破坏
  • 虚假推荐与归因操控: 利用Branch Key操控深链系统,制造虚假推荐,获得不正当奖励
  • 会话劫持与登录伪造: 利用Facebook Client Token伪造登录请求或劫持用户会话
  • 推送通知滥用: 利用GCM Sender ID发送未经授权的推送通知,诱导钓鱼攻击

涉及的敏感数据

  • Google API Keys与Crash Reporting API Key
  • Firebase Database URL
  • Branch Key深链配置
  • Facebook Client Token
  • GCM Sender ID

建议措施

即时改进措施

  • 移除客户端硬编码敏感数据
  • 强化Firebase安全规则
  • 定期更新与轮换密钥

长期安全策略

  • 建立API监控与日志审计系统
  • 加固深链安全机制
  • 定期审查子域配置

联系方式

安全研究员信息

姓名: 钟智强

职位: 高级安全研究员 | 高级全栈开发工程师 | 计算机视觉专家

电子邮件: johnmelodymel@qq.com

微信: ctkqiang

响应时间承诺

  • 紧急漏洞问题:24小时内响应
  • 一般技术咨询:48小时内回复

首选沟通渠道

1. 电子邮件(安全加密通信)

2. 微信语音/视频会议