After 1 year appearing in the domestic market, Pi Network application is having a lot of users in Vietnam. The majority of Pi advocates believe that just spending a few minutes a day “mining” Pi on their phone, they have a chance to own a large fortune later if Pi is circulated and appreciates like Bitcoin today. .
It seems that this App is harmless, but users are wrong, recently, a security research group has pointed out a vulnerability they call “Achilles heel” of the Pi application: It is collecting user data, sending it on the server but the management is not good.
On the morning of May 18, two security researchers, manhnho and Cu64 of the Anti-Phishing project, posted an analysis of the Pi Network application version 1.30.3 on the Android operating system, downloaded from the Play Store.
Accordingly, App Pi has a feature called Mining Pools. In this section, users can invite their friends to use Pi. If the Invite feature is selected, the application will request permission to access the phone’s contacts.
According to the research team, after clicking OK, Pi will send the contacts in the device to the server. Then, each time the Mining Pool is accessed, the app sends an update of the contacts.
However, the problem lies in the user’s data management system. When a user chooses to delete their Pi account, the data related to them, including contacts, must also be deleted on the server. However, they can recover this data.
By taking the application’s authentication token and sending a request to the server, the two researchers were able to get back all the contacts that the Pi app had uploaded, even after they had made the request to delete the user’s account. myself.