Title

Plain text communication in Family GPS tracker Kid Control

Report ID

SIK-2017-026

Summary:

• Vendor: KidControl Dev.
• Product: Family GPS tracker Kid Control ru.kidcontrol.gpstracker
• Affected Version: 3.4.6
• Severity: High
• Short summary: Communication for registration and login is not encrypted. An attacker which can observe a login process from a valid user can overtake the account.

Details:

All communication between the app and its backend is not encrypted. E.g. the registration and login can be tapped and modified by an attacker with access to the network.
Though the Login credentials are somehow obfuscated before sending to the backend, its not a problem to perform a replay attack with a package from a former login request in order to get access to the account.

Workaround

Only use the app when connected to a VPN you trust.

Suggested Mitigation

Using an encrypted channel for communication between app and backend.

Timeline

• 2017-08-09: Vulnerability discovered
• 2017-08-09: Contacted developer
• 2018-08-11: Published