SIK-2017-054

Title:

Send Message to User with username without authentication in RealTime GPS Tracker App

Report ID

SIK-2017-054

Summary:

Vendor: Greenalp
Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
Affected Version: android:versionName=“0.9.81″
Severity: High
Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.

Details:

An adversary can visit

https://www.greenalp.com/realtimetracker/index.php?viewuser=USERNAME

with a known username to send messages to the phone on which the app is running. This can be prevented by the user, by logging in on greenalp.com and then setting the view location permission to „nobody but me“.

Workaround

The user can login on greenalp.com and set the permissions to friends or nobody.

Suggested Mitigation

Default setting should be that nobody is send messages to the user.

Timeline

2017-08-26: Vulnerability discovered
2017-08-29: First email sent to support
2017-08-30: Advisory sent to developer
2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
2018-08-11: Published