Title:

SQLi in GPS Location Tracker App

Report ID

SIK-2017-041

Summary:

• Vendor: SeeBetaApp
• Product: Track My Family (Package-name: com.betaapp.myfamilylocator)
• Affected Version: 2.6
• Severity: high
• Short summary: SQLi in Login form breaks authentication

Details:

The backend provides a php file, which returns information about people belonging to your so called „family“.
With a GET parameter, the user sends its identifier and the backend selects the data accessible with this identifier.
As there is no other authentication required, an adversary can select an arbitrary phone number and gets data, which should only be accessible for the person with this identifier. Even worse, the GET parameters is prone to a SQL injection and therefore an adversary can access all data.

http://******/*****/fetch_family.php?mobile=' or '' ='

Workaround

–

Suggested Mitigation

There needs to be a proper input sanitization. More details can be found at https://www.owasp.org/index.php/Data_Validation

Timeline

• 2017-08-09 Vulnerability Discovered
• 2017-08-10 Contaced developer
• 2018-08-11 Published