OhMiBod DVE Reports

OhmiBod

Website: http://www.ohmibod.com/
Vulnerability disclosure address: security@ohmibod.com
Status: Supporter, working on partnership

DVE-2017-03

  • Date Posted:4/2/2017
  • Type of Vulnerability: SSL/TLS implementation on api.ohmibod.com is insufficient
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: The SSL/TLS implementation on api.ohmibod.com which is the back end for both android and iOS apps receives an 'F' rating on ssllabs.com and suffers from several known vulnerabilities
  • Remediation: The SSL/TLS implementation on api.ohmibod.com was upgraded and improved and now receives an 'A' rating on ssllabs.com

DVE-2017-05

  • Date Posted:4/2/2017
  • Type of Vulnerability: SSL/TLS implementation on api.ohmibod.com is insufficient
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: api.ohmibod.com which is the back end for both android and iOS apps allows non-SSL/TLS connections and does not redirect insecure connections to secure. This allows for SSL/TLS downgrade and man-in-the-middle attacks
  • Remediation: api.ohmibod.com now redirects all insecure connections to secure SSL/TLS connections.

DVE-2017-06

  • Date Posted:4/2/2017
  • Type of Vulnerability: Email addresses used as usernames
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: The ohmibod remote app allows users to use email addresses as usernames. While this is a user created privacy issue, given the nature of the data in the profiles and that it's not clear that this email as username will be public, its advisable to take steps to prevent users from easily entering emails as usernames.
  • Remediation: Ohmibod apps now prevent usage of the '@' symbol when creating a username to prevent users from violating their own privacy accidentally.