SIK-2017-054


Title:

Send Message to User with username without authentication in RealTime GPS Tracker App

Report ID

SIK-2017-054

Summary:

  • Vendor: Greenalp
  • Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
  • Affected Version: android:versionName=“0.9.81″
  • Severity: High
  • Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.

Details:

An adversary can visit

https://www.greenalp.com/realtimetracker/index.php?viewuser=USERNAME

with a known username to send messages to the phone on which the app is running. This can be prevented by the user, by logging in on greenalp.com and then setting the view location permission to „nobody but me“.

Workaround

The user can login on greenalp.com and set the permissions to friends or nobody.

Suggested Mitigation

Default setting should be that nobody is send messages to the user.

Timeline

  • 2017-08-26: Vulnerability discovered
  • 2017-08-29: First email sent to support
  • 2017-08-30: Advisory sent to developer
  • 2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
  • 2018-08-11: Published