OhMiBod DVE Reports

OhmiBod

Website: http://www.ohmibod.com/
Vulnerability disclosure address: security@ohmibod.com
Vulnerability disclosure site:
http://www.ohmibod.com/security
Status: Trusted Partner Vendor

DVE-2017-03

  • Date Posted:4/2/2017
  • Type of Vulnerability: SSL/TLS implementation on api.ohmibod.com is insufficient
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: The SSL/TLS implementation on api.ohmibod.com which is the back end for both android and iOS apps receives an 'F' rating on ssllabs.com and suffers from several known vulnerabilities
  • Remediation: The SSL/TLS implementation on api.ohmibod.com was upgraded and improved and now receives an 'A' rating on ssllabs.com

DVE-2017-05

  • Date Posted:4/2/2017
  • Type of Vulnerability: SSL/TLS implementation on api.ohmibod.com is insufficient
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: api.ohmibod.com which is the back end for both android and iOS apps allows non-SSL/TLS connections and does not redirect insecure connections to secure. This allows for SSL/TLS downgrade and man-in-the-middle attacks
  • Remediation: api.ohmibod.com now redirects all insecure connections to secure SSL/TLS connections.

DVE-2017-06

  • Date Posted:4/2/2017
  • Type of Vulnerability: Email addresses used as usernames
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: The ohmibod remote app allows users to use email addresses as usernames. While this is a user created privacy issue, given the nature of the data in the profiles and that it's not clear that this email as username will be public, its advisable to take steps to prevent users from easily entering emails as usernames.
  • Remediation: Ohmibod apps now prevent usage of the '@' symbol when creating a username to prevent users from violating their own privacy accidentally.

DVE-2017-02

  • Date Posted:4/29/2017
  • Type of Vulnerability: User enumeration via search function & SQL injection
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: PixlBlur & RenderMan
  • Date Reported: 1/10/2017
  • Description: The OhMiBod app and API includes a search function to find other users by their username. The search allows for single letter searches which allow for enumerating all public profiles. A user who sets their profile to private must be searched for by the complete username. However this function has an SQL injection vulnerability which allows an attacker to "dump" all profiles, regardless of privacy settings in a single query.
  • Remediation: Queries to the database are now properly sanitised and the app and API no longer allow partial name searches.

DVE-2017-07

  • Date Posted:6/11/2017
  • Type of Vulnerability: Test interface publicly available
  • Products affected: N/A
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: The OhMiBod API server had a user test form that provides a simple interface to the POST requests to change user profile information. Additional information was needed to change any profiles so it was not directly exploitable, but this interface may provide an unnecessary risk
  • Remediation: Form is no longer publicly available

DVE-2017-01

  • Date Posted:6/11/2017
  • Type of Vulnerability: User email enumeration
  • Products affected: hmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 1/10/2017
  • Description: User tokens used to establish connections between users are bcrypt hashes of the users email address. It is possible to compare the hashes in each user profile against a list of emails (albeit at great computational cost) since the salt is included with the hash.
  • Remediation: This is now a low risk and considered fixed due to other changes now making access to user tokens difficult as well as computational cost in cracking them.

DVE-2017-08

  • Date Posted:6/11/2017
  • Type of Vulnerability: User account passwords can be changed arbitrarily without authentication
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: PixlBlur
  • Date Reported: 1/10/2017
  • Description: Using the same techniques as in DVE-2017-04, it is possible to replace any OhMiBod users password via a simple POST to https://api.ohmibod.com/user/password. Using the “token” parameter from the targets account, which is publicly available and setting the “password” parameter to the attackers choosing, any account password may be overwritten and thus the account hijacked.
  • Remediation: User sessions now use session tokens that limit changes to the account to the authenticated account owner.

DVE-2017-04

  • Date Posted:6/11/2017
  • Type of Vulnerability: User accounts details can be changed arbitrarily without authentication
  • Products affected: Ohmibod Apps prior to v7.0.2 on Android and v5.1.7 on iOS
  • Found and reported by: PixlBlur & RenderMan
  • Date Reported: 1/10/2017
  • Description: Using similar techniques as in DVE-2017-08, it is possible to change parameters and information in any OhMiBod users profile via a simple POST to https://api.ohmibod.com/user/. Using the “token” parameter from the targets account, and setting the desired parameter to change to the attackers choosing, any accounts details may be changed
  • Remediation: User sessions now use session tokens that limit changes to the account to the authenticated account owner.