SIK-2017-052


Title:

User Location and Info publicly accessible by username in RealTime GPS Tracker App

Report ID

SIK-2017-052

Summary:

  • Vendor: Greenalp
  • Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
  • Affected Version: android:versionName=“0.9.81″
  • Severity: High
  • Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.

Details:

An adversary can visit

https://www.greenalp.com/realtimetracker/index.php?viewuser=USERNAME

with a known username to view the location and other info like speed, direction, battery status of the user. The user is able to login on the greenalp.com website to prevent this behavior or restrict it to friends. But the default setting is that this info is publicly accessible.

Workaround

The user can login on greenalp.com and set the permissions to friends or nobody.

Suggested Mitigation

Default setting should be that nobody is able to see location and info by default.

Timeline

  • 2017-08-26: Vulnerability discovered
  • 2017-08-30: Advisory sent to developer
  • 2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
  • 2018-08-11: Published