Executive Summary

Summary
Title TaxiHail Android mobile app contains multiple vulnerabilties
Informations
Name VU#439016 First vendor Publication 2015-12-08
Vendor VU-CERT Last vendor Modification 2015-12-08
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#439016

TaxiHail Android mobile app contains multiple vulnerabilties

Original Release date: 08 Dec 2015 | Last revised: 08 Dec 2015

Overview

Mobile Knowledge's TaxiHail is vulnerable to information disclosure and missing encryption of sensitive data.

Description

The Mobile Knowledge TaxiHail framework "allows passengers to book and manage their own reservations via iOS, android or the web in real-time, alleviating call congestion during peak busy hours."

TaxiHail prior to version 3.1.26 has been reported vulnerable to the following issues:

CWE-276: Incorrect Default Permissions

TaxiHail creates a log file that contains the GPS information about the user. The log file does not contain proper permissions, allowing other apps to read the log's location data.

CWE-311: Missing Encryption of Sensitive Data

TaxiHail does not use encryption when communicating with the server.

TaxiHail can be customized for deployment by taxi companies, meaning that multiple apps available via the iOS and Google app stores may inherit this vulnerability. According to the reporter, "over 100" apps may derive from TaxiHail.

Impact

An unauthenticated remote attacker may be able to gain private knowledge of the app user, and sniff network traffic from the app.

Solution

Apply an update

Mobile Knowledge has addressed this issue in version 3.1.26 of the TaxiHail app for both Android and iOS. Apps making use of TaxiHail have also been regenerated.

An older version of TaxiHail was reported as not correctly validating SSL certificates. According to the reporter, this issue is fixed in the latest version of TaxiHail. It is currently unclear which version originally addressed this problem.

Affected users should update their apps as soon as possible to obtain the fix.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Mobile KnowledgeAffected-08 Dec 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal5.9E:POC/RL:OF/RC:C
Environmental4.4CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

  • http://taxihail.com/
  • http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/

Credit

Thanks to the Shaftek Security Research Team for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:08 Dec 2015
  • Date First Published:08 Dec 2015
  • Date Last Updated:08 Dec 2015
  • Document Revision:19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/439016

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2015-12-08 17:23:31
  • First insertion