An issue was discovered in Meatmeet Android Mobile Application 1.1.2.0. An exported activity can be spawned with the mobile application which opens a hidden page. This page, which is not available through the normal flows of the application, contains several devices which can be added to your account, two of which have not been publicly released. As a result of this vulnerability, the attacker can gain insight into unreleased Meatmeet devices.
The application exports Android activities in a manner accessible to external applications without appropriate permission restrictions. An attacker can directly spawn this activity from another application or using ADB tools, bypassing normal application navigation flows. Executing this activity opens a hidden page that is not accessible through the standard user interface, which contains a list of devices that can be added to an account — including two devices not yet publicly announced.
An attacker can gain access to confidential business information regarding unreleased Meatmeet devices, which may lead to disclosure of the company's product plans before their official release.
Patches available from the manufacturer should be applied according to the references. The manufacturer should restrict the export of the vulnerable activity by setting the android:exported="false" attribute or implementing appropriate permissions (permission) protecting access to this component.
Meatmeet Android Mobile Application version 1.1.2.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMeatmeet
APPMeatmeet1.1.2.0
Related vulnerabilities
Hardcoded credentials w aplikacji mobilnej Meatmeet
Meatmeet – transmisja danych w czystym tekście (HTTP), przechwycenie tokenów uwierzytelniania
Brak walidacji certyfikatu TLS w aplikacji mobilnej Meatmeet
The application uses an insecure hashing algorithm (MD5) to hash passwords. If an attacker obtained a copy of ...
The mobile application insecurely handles information stored within memory. By performing a memory dump on the...