Vibease DVE Reports

Vibease

Website:https://www.vibease.com/
Security Contact: TBD
Status: Establishing security program
Supporter Since January 2017

DVE-2017-10

  • Date Posted:4/2/2017
  • Type of Vulnerability: Excessive Android Permission
  • Products affected: Vibease app v2.50.34 and earlier on Android
  • Found and reported by: RenderMan
  • Date Reported: 2/1/2017
  • Description: The android app requests the WRITE_SECURE_SETTINGS permission which is a restricted permisson according to android developer docs and should never be used in third party apps
  • Remediation: The WRITE_SECURE_SETTINGS permission is no longer requested as of v2.50.35 on Android

DVE-2017-14

  • Date Posted:4/2/2017
  • Type of Vulnerability: User enumeration
  • Products affected: Vibease apps prior to v2.50.35 on Android and 1.5.9 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 2/1/2017
  • Description: The getbatchcontactinfo API function allows for users to query the profiles of other users besides themselves if the username is known or guessed. The results of the query include the usernames that user has contacted in the past, providing further usernames to query. Through many iterations of this, it is possible to enumerate a large number of users.
  • Remediation: The API has been updated to permit only requests for the issuers username

DVE-2017-15

  • Date Posted:4/2/2017
  • Type of Vulnerability: Personal Identifying Information Disclosure
  • Products affected: Vibease apps prior to v2.50.35 on Android and 1.5.9 on iOS
  • Found and reported by: RenderMan
  • Date Reported: 2/1/2017
  • Description: The API function allows a valid token/username combo to query the profile of any username. Utilising the user enumeration vulnerability in DCE-2017-14 to assemble a list of usernames, the getuserprofile API function can be used to extract the records for those users which contains several pieces of PII that the users are highly unlikely to want to share including, Credit Balance, Date Of Birth, Email address, Friend Code (optional for enhanced privacy in chat invitations), Partner nickname
  • Remediation: The API has been updated to permit only requests for the issuers username