EUVD-2016-7465

Malware in sbrugna...

EUVD-2016-7464

Malware in sbrugna...

Authentication flaw

getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...

Code injection

The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...

Design/Logic Flaw

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password...

Code injection

A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...

CVE-2016-6543

A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...

CVE-2016-6546

The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...

CVE-2016-6544

getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...

CVE-2016-6544 iTrack Easy's getgps data can be modified without authentication

getgps data in iTrack Easy can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device...

CVE-2016-6545 iTrack Easy does not use session cookies to maintain sessions and POSTs the users password over HTTPS for each request

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password...

CVE-2016-6545

CVE-2016-6545 relates to iTrack Easy where session cookies are not used to maintain valid sessions and the user password is sent as a base64-encoded POST parameter on every request. The underlying issue is insufficient session expiration/management, requiring a password change to terminate sessio...

CVE-2016-6544

CVE-2016-6544 affects iTrack Easy and concerns a missing authentication for a critical function: the getgps data can be modified by setting the parameter cmd:setothergps, enabling an unauthenticated attacker to alter GPS data of a lost device. The connected documents confirm the root cause is lac...

CVE-2016-6542 The MAC address/device tracking ID of an iTrack Easy can be obtained within range of the device

The iTrack device tracking ID number, also called "LosserID" in the web API, can be obtained by being in the range of an iTrack device. The tracker ID is the device's BLE MAC address...

CVE-2016-6546

The CVE-2016-6546 entry concerns the iTrack Easy mobile app which stores the user’s cloud API password in the cache.db file using base64 encoding. The base64 format is treated as equivalent to cleartext, exposing credentials on local access. Documents consistently describe this as a cleartext-lik...

CVE-2016-6543

CVE-2016-6543 describes an issue in iTrack Easy where a captured MAC/device ID can be registered under multiple user accounts, allowing access to getgps GPS data and enabling unauthenticated parties to track the device. The connected documents confirm the exposure and associated risk but do not p...

CVE-2016-6546 iTrack Easy mobile application stores the user password in base-64 encoding/cleartext

The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext...

CVE-2016-6543 A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data

A captured MAC/device ID of an iTrack Easy can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device...

iTrack Easy Device Tracking Vulnerability

The iTrack Easy is a versatile Bluetooth device. The iTrack EasyMAC/device ID can be registered for use by multiple users, allowing a remote attacker to exploit the vulnerability by submitting a special request to access getgps GPS data to track the device...

iTrack Easy Man-in-the-Middle Attack Vulnerability

iTrack Easy is a multifunctional Bluetooth device. The device supports connecting with apps on your smartphone to find lost or misplaced things and more. A security vulnerability exists in iTrack Easy. An attacker could exploit this vulnerability to conduct a man-in-the-middle attack...