Security Advisory – Vulnerability Analysis of eWeLink APP Local Log Containing Partial Device Information

TitleSecurity Advisory – Vulnerability Analysis of eWeLink APP Local Log Containing Partial Device Information
Release Date2023/12/20
AbstractIn eWeLink APP version 3.x, during the device pairing process, some device‘s information is logged locally. When attackers gain file permissions by connecting to the user's phone, it leads to the leakage of some device information.
Affected ProducteWeLink APP
Affected VersioneWeLink APP 3.x
ImpactAttackers can exploit this vulnerability to obtain critical information associated with the user's account and simulate as legitimate devices to gain access to the system.
Technical DetailsExploitation Preconditions: The attacker has access to the phone (e.g., via adb).

Technical Details: Due to the lack of encryption on the pairing logs in app version 3.x, and the unnecessary printing of device information, these details can be stolen and exploited by attackers.
ResolutionUpdate to the latest version of the app.

Get in Touch

Facebook Youtube Twitter Github
Copyright © 2024 eWeLink. All rights reserved.

This website use cookies to ensure you get the best experience on our website.

ACCEPT & CLOSE
DECLINE