28 matches found
EUVD-2016-7465
Malware in sbrugna...
EUVD-2016-7463
Malware in sbrugna...
EUVD-2016-7464
Malware in sbrugna...
Design/Logic Flaw
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address...
Code injection
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...
Design/Logic Flaw
Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password...
CVE-2016-6542
The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address...
CVE-2016-6543
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...
CVE-2016-6544
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...
Code injection
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...
CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...
Authentication flaw
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...
CVE-2016-6544 iTrack Easy's getgps data can be modified without authentication
getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...
CVE-2016-6543 A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data
A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...
CVE-2016-6546 iTrack Easy mobile application stores the user password in base-64 encoding/cleartext
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...
CVE-2016-6545
CVE-2016-6545 relates to iTrack Easy where session cookies are not used to maintain valid sessions and the user password is sent as a base64-encoded POST parameter on every request. The underlying issue is insufficient session expiration/management, requiring a password change to terminate sessio...
CVE-2016-6544
CVE-2016-6544 affects iTrack Easy and concerns a missing authentication for a critical function: the getgps data can be modified by setting the parameter cmd:setothergps, enabling an unauthenticated attacker to alter GPS data of a lost device. The connected documents confirm the root cause is lac...
CVE-2016-6546
The CVE-2016-6546 entry concerns the iTrack Easy mobile app which stores the user’s cloud API password in the cache.db file using base64 encoding. The base64 format is treated as equivalent to cleartext, exposing credentials on local access. Documents consistently describe this as a cleartext-lik...
CVE-2016-6542
The CVE-2016-6542 entry concerns the iTrack Easy device, where the BLE MAC address (the tracker ID) can be obtained by being within range of the device. The issue is described as an information exposure vulnerability: an unauthenticated party could learn the device’s BLE MAC address, enabling pot...
CVE-2016-6543
CVE-2016-6543 describes an issue in iTrack Easy where a captured MAC/device ID can be registered under multiple user accounts, allowing access to getgps GPS data and enabling unauthenticated parties to track the device. The connected documents confirm the exposure and associated risk but do not p...