User Location and Info publicly accessible by username in RealTime GPS Tracker App
- Vendor: Greenalp
- Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
- Affected Version: android:versionName=“0.9.81″
- Severity: High
- Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.
An adversary can visit
with a known username to view the location and other info like speed, direction, battery status of the user. The user is able to login on the greenalp.com website to prevent this behavior or restrict it to friends. But the default setting is that this info is publicly accessible.
The user can login on greenalp.com and set the permissions to friends or nobody.
Default setting should be that nobody is able to see location and info by default.
- 2017-08-26: Vulnerability discovered
- 2017-08-30: Advisory sent to developer
- 2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
- 2018-08-11: Published