SIK-2017-050
Title:
Profile Pics accessible without authentication in Girlfriend Cell Tracker App
Report ID
SIK-2017-050
Summary:
- Vendor: SoftSquare InfoSoft
- Product: Girlfriend Cell Tracker (Package-Name: com.omrup.cell.tracker)
- Affected Version: v1.20
- Severity: Medium
- Short summary: With only the userid (which can be leaked with e.g. Title: SMS Conversations of all users available) the profile pic is publicly accessible.
Details:
By visiting
http://****/****/api/profile/<userid>
the profile pic is shown without any authentication.
For example:
http://****/****/api/profile/149865712068829
shows an example screen shot.
All User-IDs can be extracted via SIK-2017-047.
Workaround
None.
Suggested Mitigation
Use some kind of authentication to access the profile pictures.
Timeline
- 2017-07-26: Vulnerability discovered
- 2017-08-29: First Email sent to developer
- 2018-08-11: Published