5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
51.5%
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called “stalkerware.” An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.
IDOR is a common web application flaw that essentially exposes information on a server because of insufficient authentication or authorization controls. Multiple services and apps are affected by this backend vulnerability. A list of known vendors is included below.
For more information and a detailed account of the flaw and investigation, please see “Behind the stalkerware network spilling the private phone data of hundreds of thousands.”
An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.
We are unaware of a practical solution to this problem. The infrastructure provider (according to the TechCrunch investigation, 1Byte Software), would need to address the IDOR vulnerability.
For advice on detecting and removing stalkerware apps, see “Your Android phone could have stalkerware, here’s how to remove it.” As noted by TechCrunch:
> Before you proceed, have a safety plan in place. The Coalition Against Stalkerware offers advice and guidance for victims and survivors of stalkerware. Spyware is designed to be covert, but keep in mind that removing the spyware from your phone will likely alert the person who planted it, which could create an unsafe situation.
Thanks to Zack Whittaker from TechCrunch for researching and reporting this vulnerability and investigating the wider security concerns related to stalkerware.
This document was written by James Stanley and Art Manion.
229438
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Updated: 2022-02-22 CVE-2022-0732 | Unknown |
---|---|
VU#229438.1 | Affected |
We have not received a statement from the vendor.
Notified: 2021-11-02 Updated: 2023-02-24
Statement Date: February 24, 2023
CVE-2022-0732 | Not Affected |
---|---|
VU#229438.1 | Not Affected |
We have not received a statement from the vendor.
View all 19 vendors __View less vendors __
CVE IDs: | CVE-2022-0732 |
---|---|
API URL: | VINCE JSON |
Date Public: | 2022-02-22 Date First Published: |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
51.5%