JVN#63023305: InBody App vulnerable to information disclosure

InBody App provided by InBody Japan Inc. works with the household body composition analyzer InBody Dial manufactured and sold by InBody Japan Inc., and as a part of its functions, it manages and stores data such as weight, BMI, skeletal muscle mass, and fat mass measured by InBody Dial.
InBody App contains a vulnerability which may lead to information disclosure (CWE-200) only when it works with InBody Dial. As a result, it may receive a measurement result from InBody Dial under specific conditions.

Impact

Under specific conditions, an attacker who can connect to the InBody Dial with InBody App may obtain a victim’s measurement result measured by InBody Dial.

Solution

Update InBody App
Update InBody App to the latest version according to the information provided by the developer.

Products Affected

The following products are affected by this vulnerability only when they work with the household body composition analyzer InBody Dial.

• InBody App for iOS versions prior to 2.3.30
• InBody App for Android versions prior to 2.2.90(510)