SIK-2017-050


Title:

Profile Pics accessible without authentication in Girlfriend Cell Tracker App

Report ID

SIK-2017-050

Summary:

  • Vendor: SoftSquare InfoSoft
  • Product: Girlfriend Cell Tracker (Package-Name: com.omrup.cell.tracker)
  • Affected Version: v1.20
  • Severity: Medium
  • Short summary: With only the userid (which can be leaked with e.g. Title: SMS Conversations of all users available) the profile pic is publicly accessible.

Details:

By visiting

http://****/****/api/profile/<userid>

the profile pic is shown without any authentication.

For example:

http://****/****/api/profile/149865712068829

shows an example screen shot.

All User-IDs can be extracted via SIK-2017-047.

Workaround

None.

Suggested Mitigation

Use some kind of authentication to access the profile pictures.

Timeline

  • 2017-07-26: Vulnerability discovered
  • 2017-08-29: First Email sent to developer
  • 2018-08-11: Published