Send Message to User with username without authentication in RealTime GPS Tracker App
- Vendor: Greenalp
- Product: RealTime GPS Tracker (Package-Name: com.greenalp.RealtimeTracker)
- Affected Version: android:versionName=“0.9.81″
- Severity: High
- Short summary: With a known username, an adversary can publicly access the location and other info about the user cellphone, if default settings are still set.
An adversary can visit
with a known username to send messages to the phone on which the app is running. This can be prevented by the user, by logging in on greenalp.com and then setting the view location permission to „nobody but me“.
The user can login on greenalp.com and set the permissions to friends or nobody.
Default setting should be that nobody is send messages to the user.
- 2017-08-26: Vulnerability discovered
- 2017-08-29: First email sent to support
- 2017-08-30: Advisory sent to developer
- 2017-08-31: Developer replied with „won’t be fixed, behaviour is intended in that way“
- 2018-08-11: Published