SIK-2017-015


Title:

Password in Normal Text Field in KidControl GPS Tracker App

Report ID

SIK-2017-015

Summary:

  • Vendor: KidControl Dev.
  • Product: Family GPS tracker Kid Control
  • Affected Version: 3.4.3
  • Severity: High
  • Short summary:
    Passwords are entered in normal text fields, not password fields. Consequently, they are visible in plain text to any bystander.

Details:

Fields in which users are supposed to enter passwords should always be marked as password fields. This ensures that the Android operating system blocks out all characters but the most recently typed one using dots. This way, bystanders looking on the user’s sreen cannot easily get to know the password that is being typed in. Furthermore, password fields make sure that the contents cannot be copied into the clipboard and do not end up in the ictionary that would otherwise offer text recommendations for normal text fields.

Workaround

Make sure that you enter your password in a private space where nobody can see your screen.

Suggested Mitigation

Always mark fields with the proper field type.

Timeline

  • 2017-04-14: Vulnerability discovered.
  • 2017-05-18: Reported
  • 2018-08-11: Published