5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
53.9%
CVE-2021-21823
An information disclosure vulnerability exists in the Friend finder functionality of GmbH Komoot version 10.26.9 up to 11.1.11. A specially crafted series of network requests can lead to the disclosure of sensitive information.
Komoot GmbH Komoot 10.26.9
Komoot GmbH Komoot 11.0.14
Komoot GmbH Komoot 11.1.11
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-359 - Exposure of Private Information (βPrivacy Violationβ)
Komoot is a route planner available for several devices (Android, iOS, and others). It is mostly used for planning outdoor activities like biking and hiking and features offline maps, turn-by-turn navigation and tour recording. Routes and past recordings can be saved online and shared with other users.
In the Komoot Android app, the friend finder feature in the user profile section allows to search for friends by name or email address. What it apparently does though is match the entered string, and suggest possible matches, even for substrings. Searching for βgmailβ, βgmxβ, βweb.deβ or similar will list a seemingly endless amount of email addresses of matching usernames. It is thus possible to look for and target people working for certain companies by simply specifying a domain name. The email addresses used to register an account are not searchable in that way. The ability to be found in a search can be disabled, but it is enabled by default.
Additionally, the substring search can be abused to identify profile IDs for accounts. For example, if searching for β123456β results in 10 accounts, adding a single number to it (so 1, or 2, or 3) would show a subset of the previous 10 accounts. It is possible to keep adding single digit numbers (while at least one profile is shown), until the profile ID length of 13 digits is reached, revealing the full profile ID.
Note that even though the profile ID for a specific profile is not secret, since it can be obtained through different means, this issue allows to enumerate all registered profile IDs registered in the platform by brute forcing single digit numbers one by one, making the search space very small.
Another issue, however unrelated from the substring search functionality, is that deleted accounts will not result in the deletion of the profile picture. We created a test account with ID 1963024692729, which was then deleted on April 20th, 5.38pm CEST. The image for that account is however still available at: https://d2exd72xrrp1s7.cloudfront.net/www/zx/zx3uli96uvjw14fsrz310f5903qutq15n-u1963024692729-full/178efac38f8?width=100&height=100&crop=true&q=75
2021-04-26 - Vendor Disclosure
2021-05-28 - Vendor Patched
2021-06-08 - Talos tested fix
2021-06-08 - Public Release
Discovered by Martin Zeiser of Cisco Talos.
Vulnerability Reports Next Report
TALOS-2021-1277
Previous Report
TALOS-2021-1251
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
53.9%