The VeryFitPro (com.veryfit2hr.second) application 3.2.8 for Android does all communication with the backend API over cleartext HTTP. This includes logins, registrations, and password change requests. This allows information theft and account takeover via network sniffing.
Weakness
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Veryfitpro | I-doo | 3.2.8 (including) | 3.2.8 (including) |
Potential Mitigations
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/102.html
- https://cwe.mitre.org/data/definitions/117.html
- https://cwe.mitre.org/data/definitions/383.html
- https://cwe.mitre.org/data/definitions/477.html
- https://cwe.mitre.org/data/definitions/65.html
References
- http://seclists.org/fulldisclosure/2021/Jun/45
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second\u0026hl=en_US\u0026gl=US
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txt
- https://trovent.io/security-advisory-2105-01
- http://seclists.org/fulldisclosure/2021/Jun/45
- https://play.google.com/store/apps/details?id=com.veryfit2hr.second\u0026hl=en_US\u0026gl=US
- https://trovent.github.io/security-advisories/TRSA-2105-01/TRSA-2105-01.txt
- https://trovent.io/security-advisory-2105-01