Elvie DVE Reports

Elvie DVE Reports

Elvie

Website: https://www.elvie.com/
Vulnerability disclosure address: None Yet Public
Status: Early discussions

DVE-2017-26

  • Date Posted:4/20/2017
  • Type of Vulnerability: Static password embedded in Android app
  • Products affected: Elvie Android App before v1.7.4
  • Found and reported by: RenderMan
  • Date Reported: 4/7/2017
  • Description: The Elvie Android app (and iOS) uses a static username and password to authenticate to the API. These credentials worked for multiple use case API's and allowed excessive access.
  • Remediation: App still uses basic authentication and static credentials, however, other API's use different credentials and API permissions were reviewed and secured as per DVE-2017-28

DVE-2017-27

  • Date Posted:4/20/2017
  • Type of Vulnerability: Multiple SSL/TLS Implementation Issues
  • Products affected: https://v1-1api.chiaro.co.uk/
  • Found and reported by: RenderMan
  • Date Reported: 4/7/2017
  • Description: The SSL/TLS implementation on https://v1-1api.chiaro.co.uk/ (the API backend) receives an "F" rating on ssllabs.com due to weak and insecure cipher suites being allowed.
  • Remediation: The SSL/TLS implementation was reconfigured to only allow strong and secure ciphers and now receives an "A" rating.

DVE-2017-28

  • Date Posted:4/20/2017
  • Type of Vulnerability: Priviledge escalation; user able to query admin API calls
  • Products affected: https://v1-1api.chiaro.co.uk/
  • Found and reported by: RenderMan
  • Date Reported: 4/7/2017
  • Description: The API back end at https://v1-1api.chiaro.co.uk uses basic authentication to identify access level for API calls. Using the embedded "user" level credentials, several admin level API calls were accessible allowing access beyond a users own account
  • Remediation: Elvie reviewed all API calls, verified and corrected ACL's for admin API calls.