SQLi in GPS Location Tracker App
- Vendor: SeeBetaApp
- Product: Track My Family (Package-name: com.betaapp.myfamilylocator)
- Affected Version: 2.6
- Severity: high
- Short summary: SQLi in Login form breaks authentication
The backend provides a php file, which returns information about people belonging to your so called „family“.
With a GET parameter, the user sends its identifier and the backend selects the data accessible with this identifier.
As there is no other authentication required, an adversary can select an arbitrary phone number and gets data, which should only be accessible for the person with this identifier. Even worse, the GET parameters is prone to a SQL injection and therefore an adversary can access all data.
http://******/*****/fetch_family.php?mobile=' or '' ='
There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation
- 2017-08-09 Vulnerability Discovered
- 2017-08-10 Contaced developer
- 2018-08-11 Published