A vulnerability was found in Halo Home App up to 1.10.x on Android (Android App Software). It has been rated as problematic. Affected by this issue is some unknown functionality of the component Authentication Storare Handler. The manipulation with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. CVE summarizes:

The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.

The weakness was presented 05/22/2019. This vulnerability is handled as CVE-2019-5625 since 01/07/2019. The attack needs to be approached locally. A simple authentication is required for exploitation. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 1.11.0 eliminates this vulnerability.

See VDB-135369 and VDB-135370 for similar entries.

Productinfo

Type

• Android App Software

Name

• Halo Home App

Version

• 1.0
• 1.1
• 1.2
• 1.3
• 1.4
• 1.5
• 1.6
• 1.7
• 1.8
• 1.9
• 1.10

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion