[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Airscanner Mobile Security Advisory #08031201: FlexiSPY Multiple Issues
- To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Airscanner Mobile Security Advisory #08031201: FlexiSPY Multiple Issues
- From: Seth Fogie <seth@xxxxxxxxxxxxxx>
- Date: Mon, 17 Mar 2008 10:14:04 -0400
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
<p><strong>Airscanner Mobile Security Advisory #08031201</strong><strong>:<br>
FlexiSPY Victim/User Email/SMS/Call Log Spoofing and Flawed Encryption
Scheme</strong> </p>
<p><strong>Product:</strong><br>
FlexiSPY Product and Website</p>
<p><strong>Platform:</strong><br>
NA</p>
<p> <strong>Requirements:</strong><br>
NA</p>
<p><strong> Credits:</strong><br>
Seth Fogie<br>
Airscanner Mobile Security<br>
<a href="http://www.airscanner.com";>http://www.airscanner.com</a><br>
March 12, 2008</p>
<p><strong> Risk Level:</strong><br>
<br>
High - Spoofed log records / Broken protection of settings file can
lead to spyware hijacking and unmasking of sensitive information.</p>
<p> <strong>Summary:</strong><br>
<br>
FlexiSPY.com's user administration web application contains a critical
bug that allows anyone to inject spoofed incoming/outgoing phone
records, SMS messages, and Emails into the backend database for ANY
user of the software if the IMEI value is known. In addition, due to a
broken protection scheme on the configuration file, the identity of the
person who is monitoring the device can be retrieved, and the spyware
can be hijacked and removed from FlexiSPY.com's control.</p>
<p> <strong>Details:</strong></p>
<p>Record Spoofing: The FlexiSPY backend requires no authentication
other than the IMEI of the infected phone. Since the record posted is
done via an unencrypted HTTP POST, spoofed logs can be created and
uploaded to the FlexiSPY backend. </p>
<p>Flawed Encryption Scheme: The configuration information is stored
locally on the infected device. The file is 'encrypted' to prevent a
user from learning information, such as the phone number of the device
permitted to connect to the infected phone and listen in on phone calls.</p>
<p>Insecure Solution: The FlexiSPY product stores the location of the
backend in the settings file. Since the settings file can be decrypted
(and re-encrypted), it is trivial to change the location of the backend
to an alternate location.<br>
<br>
More details on this program and the vulnerabilities are located at:</p>
<p><a
href="http://www.informit.com/articles/article.aspx?p=1185592";>http://www.informit.com/articles/article.aspx?p=1185592</a></p>
<p><strong> Workaround:</strong><br>
Uninstall the software from the victim's phone. </p>
<p>Copyright (c) 2008 Airscanner Corp.</p>
<p>Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of Airscanner Corp. If you wish to reprint the whole or
any part of this alert in any other medium other than electronically,
please contact Airscanner Corp. for permission.</p>
<p>Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for use on
an AS IS condition. There are no warranties with regard to this
information. Neither the author nor the publisher accepts any liability
for any direct, indirect, or consequential loss or damage arising from
use of, or reliance on, this information.</p>
<p><br>
</p>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/