all InfoSec news
VU#229438: Mobile device monitoring services do not authenticate API requests
CERT Recently Published Vulnerability Notes kb.cert.org
Overview
The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability. These services and their associated apps can be used to perform non-consensual, unauthorized monitoring and are commonly called "stalkerware." An unauthenticated remote attacker can access personal information collected from any device with one of the stalkerware variants installed.
Description
IDOR is a common web application flaw that essentially exposes information on a server …
api device mobile mobile device monitoring requests services