Texture Canada Unencrypted Third Party Analytics

2019.05.11
Credit: David Coomber
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 4/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

Texture Canada Android & iOS Applications - Unencrypted Third Party Analytics (CVE-2019-8632) -- https://www.info-sec.ca/advisories/Texture.html Overview "Texture: Unlimited access to over 100 of the world's best magazines on your computer, smartphone or tablet." (https://play.google.com/store/apps/details?id=com.nim.rogers) (https://itunes.apple.com/ca/app/texture-canada/id649174756) Issue The Texture Canada Android & iOS applications (Android version 4.21.0.1, iOS version 5.11.6 and below) sends potentially sensitive information such as number of app launches, device model, Android or iOS version and screen resolution, unencrypted to a third party site (ScorecardResearch). Impact An attacker who can monitor network traffic could capture potentially sensitive information about the user's device without their knowledge. Timeline July 10, 2018 - Attempted to notify Texture of the issue via security@texture.ca July 10, 2018 - Attempted to notify Texture of the issue via support@texture.ca July 12, 2018 - Provided the details of the issue to Apple via product-security@apple.com May 9, 2019 - Published an advisory to document the issue Solution Upgrade to Android version 4.22.0.4 or iOS version 5.11.10 (U.S. versions are also affected but have not been tested) https://support.apple.com/en-us/HT210110 https://support.apple.com/en-us/HT210111 https://support.apple.com/en-us/HT201222 CVE-ID: CVE-2019-8632


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top