Executive Summary
Summary | |
---|---|
Title | Mobile device monitoring services do not authenticate API requests |
Informations | |||
---|---|---|---|
Name | VU#229438 | First vendor Publication | 2022-02-22 |
Vendor | VU-CERT | Last vendor Modification | 2022-02-24 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | |||
---|---|---|---|
Overall CVSS Score | 7.5 | ||
Base Score | 7.5 | Environmental Score | 7.5 |
impact SubScore | 3.6 | Temporal Score | 7.5 |
Exploitabality Sub Score | 3.9 | ||
Attack Vector | Network | Attack Complexity | Low |
Privileges Required | None | User Interaction | None |
Scope | Unchanged | Confidentiality Impact | High |
Integrity Impact | None | Availability Impact | None |
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
OverviewThe backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called "stalkerware." An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed. DescriptionIDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below. For more information and a detailed account of the flaw and investigation, please see "Behind the stalkerware network spilling the private phone data of hundreds of thousands." ImpactAn unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed. SolutionWe are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability. For advice on detecting and removing stalkerware apps, see "Your Android phone could have stalkerware, here's how to remove it." As noted by TechCrunch:
AcknowledgementsThanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware. This document was written by James Stanley and Art Manion. |
Original Source
Url : https://kb.cert.org/vuls/id/229438 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-639 | Access Control Bypass Through User-Controlled Key |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 | |
Application | 1 |
Alert History
Date | Informations |
---|---|
2022-03-08 21:29:42 |
|
2022-02-25 00:29:34 |
|
2022-02-25 00:17:44 |
|
2022-02-22 21:17:42 |
|