| Title | BlackVue Dashcam APK v3.65 Plaintext Password in Configuration File |
|---|
| Description | In the BlackVue v3.65 APK, both BCS_TOKEN and SECRET_KEY, along with the API endpoints, are exposed in the clear. These two values, along with an easily computable bcsSignature, and user tokens, would allow an attacker make privileged requests and make changes to the dashcam. While user tokens are typically secret, these requests are sent via GET parameter. In other words, the server-secrets are stored in plaintext while the client-secrets are transmitted over URLs, which is logged by solutions such as proxies, referral URLs, or browser history. Any users sitting behind a proxy, such as corporate users, would have their GET parameters and user tokens logged in plain-text and an attacker with access to proxy logs or even referral URL would be able to chain the above two weaknesses to perform account takeover. |
|---|
| Source | ⚠️ https://github.com/geo-chen/BlackVue/blob/main/README.md#finding-2-hardcoded-secrets-exposed-in-plaintext |
|---|
| User | geochen (UID 78995) |
|---|
| Submission | 03/03/2025 17:10 (1 Year ago) |
|---|
| Moderation | 03/15/2025 21:57 (12 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 299822 [BlackVue App 3.65 on Android API Endpoint BCS_TOKEN/SECRET_KEY credentials storage] |
|---|
| Points | 20 |
|---|