SIK-2017-052

Title:

User Location and Info publicly accessible by username in RealTime GPS Tracker App

Report ID

SIK-2017-052

Summary:

Vendor: Greenalp
Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
Affected Version: android:versionName=“0.9.81″
Severity: High
Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.

Details:

An adversary can visit

https://www.greenalp.com/realtimetracker/index.php?viewuser=USERNAME

with a known username to view the location and other info like speed, direction, battery status of the user. The user is able to login on the greenalp.com website to prevent this behavior or restrict it to friends. But the default setting is that this info is publicly accessible.

Workaround

The user can login on greenalp.com and set the permissions to friends or nobody.

Suggested Mitigation

Default setting should be that nobody is able to see location and info by default.

Timeline

2017-08-26: Vulnerability discovered
2017-08-30: Advisory sent to developer
2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
2018-08-11: Published