Vulnerability Reports

We want to highlight that we follow common rules in our responsible disclosure process before we release any information about our findings. Furthermore, all our findings are reported to the corresponding vendors. Once we reached out to the vendor, we list our findings in Zerodays. Once the vendor fixed the vulnerability, we release all details about the findings in Vulnerability Reports.

Zerodays
Vulnerability Reports

Report ID	Vendor	Report Date
SIK-2019-010	mtMax GmbH	2019-06-11
SIK-2019-009	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-008	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-007	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-006	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-005	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-004	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-003	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-002	M&S SystemSolutions GmbH	2019-03-27
SIK-2019-001	gastronovi GmbH	2019-02-05
SIK-2018-024	Burakgon	2019-06-06
SIK-2018-023	Appgenix Software UG	2019-06-06
SIK-2018-022	Medical Investment A.P. Co. Ltd	2018-05-16
SIK-2018-021	Medical Investment A.P. Co. Ltd	2018-05-16
SIK-2018-020	Helyxon	2018-05-08
SIK-2018-019	Helyxon	2018-05-08
SIK-2018-018	Helyxon	2018-05-08
SIK-2018-017	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-016	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-015	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-014	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-013	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-012	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-011	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-010	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-009	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-008	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-007	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-006	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-005	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-004	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-003	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-002	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2018-001	Datenlotsen Informationssysteme GmbH	2017-11-29
SIK-2017-022	The World of Apps LLC	2017-08-09
SIK-2017-021	The World of Apps LLC	2017-08-09
SIK-2017-020	The World of Apps LLC	2017-08-09

Report ID	Vendor	Title	Report Date
SIK-2017-058	GooglePlay Store (Malware)	SMS-Tracker Spyware Downloader in Google Play	2017-08-30
SIK-2017-057	BytePioneers s.r.o.	Premium Feature Unlock Without Payment in Couple Tracker App	2017-08-23
SIK-2017-056	애펙스 주식회사	SQLi in Couple Vow app leaks all user credentials (passwords in plaintext)	2017-08-23
SIK-2017-055	Greenalp	Reflective XSS on greenalp.com via RealTime GPS Tracker App	2017-08-26
SIK-2017-054	Greenalp	Send Message to User with username without authentication in RealTime GPS Tracker App	2017-08-26
SIK-2017-053	Greenalp	PHPinfo publicly accessible on greenalp.com via RealTime GPS Tracker Website	2017-08-26
SIK-2017-052	Greenalp	User Location and Info publicly accessible by username in RealTime GPS Tracker App	2017-08-26
SIK-2017-051	SoftSquare InfoSoft	Profile picture of any account can be changed unauthorized in Girlfriend Cell Tracker App	2017-08-23
SIK-2017-050	SoftSquare InfoSoft	Profile Pics accessible without authentication in Girlfriend Cell Tracker App	2017-07-26
SIK-2017-049	SoftSquare InfoSoft	All traffic via HTTP in Girlfriend Cell Tracker App	2017-07-26
SIK-2017-048	SoftSquare InfoSoft	Complete Access to all SMS Conversations of all users in GirlFriend Cell Tracker App	2017-08-09
SIK-2017-047	SoftSquare InfoSoft	Complete Access to all User IDs in GirlFriend Cell Tracker App	2017-08-09
SIK-2017-046	Handelsblatt GmbH	Broken X509TrustManager in Handelsblatt Global Edition App	2017-08-09
SIK-2017-041	SeeBetaApp	SQLi in GPS Location Tracker App	2017-08-09
SIK-2017-040	SeeBetaApp	Plaintext Communication in GPS Location Tracker App	2017-08-09
SIK-2017-039	SeeBetaApp	SQLi in Login Form from GPS Location Tracker App	2017-08-09
SIK-2017-038	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Phone Tracker By Number“	2017-08-09
SIK-2017-037	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Localiser un Portable avec son Numéro“	2017-08-09
SIK-2017-036	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Handy Orten per Handynummer Kostenlos“	2017-08-09
SIK-2017-035	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Rastreador de Celular Avanzado“	2017-08-09
SIK-2017-034	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Localizador de Celular GPS“	2017-08-09
SIK-2017-033	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Rastrear Celular Por el Numero“	2017-08-09
SIK-2017-032	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Phone Tracker Pro“	2017-08-09
SIK-2017-031	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Phone Tracker Free“	2017-08-09
SIK-2017-030	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Rastreador de Novio“	2017-08-09
SIK-2017-029	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Rastreador de Novia“	2017-08-09
SIK-2017-028	AppDroid Aplicativos Ponto Com	Hard-Coded Database Credentials in „Rastreador de Celular Libre“	2017-08-09
SIK-2017-027	GooglePlay Store (Malware)	Commercial Spyware Downloader in Google Play	2017-07-12
SIK-2017-023	Fiducia & GAD IT AG, Verwaltungssitz Münster	VR-SecureCARD	2017-08-09
SIK-2017-019	Intelligent Systems GmbH	iMensa food ratings manipulable	2017-08-09
SIK-2017-018	Miles and More	Hardcoded encryption key in Miles and More app	2017-05-18
SIK-2017-017	KidControl Dev.	Privilege Escalation in KidControl GPS Tracker App	2017-04-15
SIK-2017-016	KidControl Dev.	Disable Authentication in KidControl GPS Tracker App	2017-04-15
SIK-2017-015	KidControl Dev.	Password in Normal Text Field in KidControl GPS Tracker App	2017-04-14
SIK-2017-014	KidControl Dev.	Insecure Login in KidControl GPS Tracker App	2017-04-12
SIK-2017-013	net.prtm.myfamily	My Family GPS tracker data transmitted without encryption	2017-04-26
SIK-2017-012	net.prtm.myfamily	My Family GPS tracker data accessible to public	2017-04-26
SIK-2017-011	Westfälische Verkehrsgesellschaft	Fahrtwind (Westfälische Verkehrsgesellschaft) App Backend Manpulation Vulnerability	2017-02-27
SIK-2017-010	Westfälische Verkehrsgesellschaft	Fahrtwind (Westfälische Verkehrsgesellschaft) App Insecure Database Replication	2017-02-27
SIK-2017-009	BOGESTRA	Mutti (Bogestra) App Backend Manpulation Vulnerability	2017-02-27
SIK-2017-008	BOGESTRA	Mutti (Bogestra) App Insecure Database Replication	2017-02-27
SIK-2017-007	Essen Mobil	Essen Mobil Insecure Database Replication	2017-02-22
SIK-2017-006	Essen Mobil	Essen Mobil App Backend Manipulation Vulnerability	2017-02-22
SIK-2017-005	Lufthansa	ADB Backup Allowed in Lufthansa App	2017-02-14
SIK-2017-004	Lufthansa	Private Files Extraction Possible in Lufthansa App	2017-02-14
SIK-2017-003	Lufthansa	Insecure Crypto Keys in Lufthansa App	2017-02-14
SIK-2017-002	Lufthansa	Http URLs in Lufthansa App	2017-02-15
SIK-2017-001	IEEE	Stored and Reflected XSS in pdf-express.org Website	2017-02-03
SIK-2016-054	AVAST	Internal Testing URLs in Avast Password Manager	2016-11-21
SIK-2016-053	RWE	Boot Loop Through USB Update in RWE Smarthome	2016-08-29
SIK-2016-052	RWE	Denial-of-Service Vulnerability in RWE Smarthome	2016-08-29
SIK-2016-051	RWE	Unprotected NTP Connection in RWE Smarthome	2016-08-29
SIK-2016-050	RWE	Custom CA Certificate Required for RWE Smarthome That Allows Full Traffic Decryption	2016-08-29
SIK-2016-049	RWE	Weak SSL/TLS Cipher Suits in RWE Smarthome Appliance	2016-08-29
SIK-2016-048	Gigaset	Video Stream Access without Authentication on Gigaset Smarthome Camera	2016-08-15
SIK-2016-047	Gigaset	Directory Traversal and Information leakage Through Backup in Gigast Smarthome Camera	2016-07-27
SIK-2016-046	Gigaset	CSFR Vulnerability in Gigaset Smarthome Camera Configuration Interface	2016-07-27
SIK-2016-045	Gigaset	Weak Configuration Interface Authentication on Gigaset Smarthome Camera	2016-07-27
SIK-2016-044	Gigaset	Logging of Sensitive Information in Gigaset elements App	2016-07-27
SIK-2016-043	My Passwords	Free Premium Features Unlock for My Passwords	2016-11-11
SIK-2016-042	AgileBits	Privacy Issue, Information Leaked to Vendor 1Password Manager	2016-09-01
SIK-2016-041	AgileBits	Read Private Data From App Folder in 1Password Manager	2016-09-01
SIK-2016-040	AgileBits	Titles and URLs Not Encrypted in 1Password Database	2016-09-01
SIK-2016-039	AgileBits	Https downgrade to http URL by default in 1Password Internal Browser	2016-09-01
SIK-2016-038	AgileBits	Subdomain Password Leakage in 1Password Internal Browser	2016-09-01
SIK-2016-037	AVAST	Broken Secure Communication Implementation in Avast Password Manager	2016-11-21
SIK-2016-036	AVAST	Subdomain Password Leakage in Avast Password Manager	2016-11-21
SIK-2016-035	AVAST	Insecure Default URLs for Popular Sites in Avast Password Manager	2016-11-21
SIK-2016-034	AVAST	Password Theft by Spoofed Website from Avast Password Manager	2016-11-21
SIK-2016-033	AVAST	App Password Stealing from Avast Password Manager	2016-11-21
SIK-2016-032	Keepsafe	Keepsafe Plaintext Password Storage	2016-10-28
SIK-2016-031	Dashlane	Subdomain Password Leakage in Internal Dashlane Password Manager Browser	2016-09-26
SIK-2016-030	Dashlane	Residue Attack Extracting Masterpassword From Dashlane Password Manager	2016-09-26
SIK-2016-029	Dashlane	Google Search Information Leakage in Dashlane Password Manager Browser	2016-09-26
SIK-2016-028	Dashlane	Read Private Data From App Folder in Dashlane Password Manager	2016-09-26
SIK-2016-027	F-Secure Corporation	F-Secure KEY Password Manager Insecure Credential Storage	2016-08-18
SIK-2016-026	Keeper Security, Inc.	Keeper Password Manager Data Injection without Master Password	2016-05-25
SIK-2016-025	Keeper Security, Inc.	Keeper Password Manager Security Question Bypass	2016-05-25
SIK-2016-024	LastPass	Read Private Date (Stored Masterpassword) from LastPass Password Manager	2016-08-24
SIK-2016-023	LastPass	Privacy, Data leakage in LastPass Browser Search	2016-08-24
SIK-2016-022	LastPass	Hardcoded Master Key in LastPass Password Manager	2016-08-23
SIK-2016-021	Informaticore	Insecure Credential Storage in Mirsoft Password Manager	2016-08-18
SIK-2016-020	My Passwords	Master Password Decryption of My Passwords App	2016-11-11
SIK-2016-019	My Passwords	Read Private Data of My Passwords App	2016-11-11
SIK-2016-018	McAfee	Local DOS McAfee App	2015-12-03
SIK-2016-017	Miles&More	Complete Traffic Dumped to Logcat in Miles&More App	2016-12-13
SIK-2016-015	Heag	Heag Mobile Backend Manpulation Vulnerability	2016-11-29
SIK-2016-014	Heag	Heag Mobilo Insecure Database Replication	2016-11-29
SIK-2016-013	McAfee	XSS in Secure Browsing Module McAfee App	2015-11-25
SIK-2016-012	Malwarebytes	Local DOS Malwarebytes App	2016-02-11
SIK-2016-011	Malwarebytes	Unprotected and Unauthenticated HTTP-Connection Malwarebytes App	2016-02-11
SIK-2016-010	Kaspersky	Remote Code Execution Kaspersky App	2015-09-20
SIK-2016-009	ESET	Insecure HTTPS-Communication ESET App	2015-10-13
SIK-2016-008	Cheetahmobile	Tapjacking Attack cheetahmobile App	2015-12-15
SIK-2016-007	Cheetahmobile	Remote Code Execution cheetahmobile App	2015-12-15
SIK-2016-006	AVIRA	Local DOS of AVIRA App	2015-10-10
SIK-2016-005	AVIRA	Remote Deactivation of AVIRA App Scan Engine	2015-10-10
SIK-2016-004	AVIRA	Virus Definition File Downgrade of AVIRA App	2015-10-10
SIK-2016-003	AndroHelm	Premium Feature Upgrade for Free in AndroHelm Antivirus App	2015-10-15
SIK-2016-002	AndroHelm	Remote Control of AndroHelm Antivirus App	2015-10-15
SIK-2016-001	AndroHelm	Remote Crash of AndroHelm Antivirus App	2015-10-15