Elvie DVE Reports

Website: https://www.elvie.com/
Vulnerability disclosure address: None Yet Public
Status: Early discussions

Date Posted:4/20/2017
Type of Vulnerability: Static password embedded in Android app
Products affected: Elvie Android App before v1.7.4
Found and reported by: RenderMan
Date Reported: 4/7/2017
Description: The Elvie Android app (and iOS) uses a static username and password to authenticate to the API. These credentials worked for multiple use case API's and allowed excessive access.
Remediation: App still uses basic authentication and static credentials, however, other API's use different credentials and API permissions were reviewed and secured as per DVE-2017-28

Date Posted:4/20/2017
Type of Vulnerability: Multiple SSL/TLS Implementation Issues
Products affected: https://v1-1api.chiaro.co.uk/
Found and reported by: RenderMan
Date Reported: 4/7/2017
Description: The SSL/TLS implementation on https://v1-1api.chiaro.co.uk/ (the API backend) receives an "F" rating on ssllabs.com due to weak and insecure cipher suites being allowed.
Remediation: The SSL/TLS implementation was reconfigured to only allow strong and secure ciphers and now receives an "A" rating.

Date Posted:4/20/2017
Type of Vulnerability: Priviledge escalation; user able to query admin API calls
Products affected: https://v1-1api.chiaro.co.uk/
Found and reported by: RenderMan
Date Reported: 4/7/2017
Description: The API back end at https://v1-1api.chiaro.co.uk uses basic authentication to identify access level for API calls. Using the embedded "user" level credentials, several admin level API calls were accessible allowing access beyond a users own account
Remediation: Elvie reviewed all API calls, verified and corrected ACL's for admin API calls.