Plattform
android
Komponente
halo-home-android-app
Behoben in
1.11.1
CVE-2019-5625 affects the Halo Home Android application prior to version 1.11.0. This vulnerability involves the insecure storage of OAuth authentication and refresh access tokens in a cleartext file on the device. An attacker gaining physical access or compromising the device could potentially leverage these tokens to impersonate a legitimate user and access their personal information stored in the backend cloud service.
The primary impact of CVE-2019-5625 is the potential for unauthorized access to a user's Halo Home account and associated data. An attacker gaining physical control of an Android device running a vulnerable version of the Halo Home app, or successfully installing a malicious application, can locate the plaintext OAuth tokens. These tokens can then be used to impersonate the legitimate user, granting the attacker access to view and modify the user's personal information stored on the Halo Home backend cloud service. This includes potentially controlling smart home devices managed through the app. The risk is amplified if the device is rooted or already compromised, as it simplifies the attacker's ability to locate and extract the sensitive tokens. While the vulnerability requires physical access or a malicious app installation, the ease of token extraction once access is gained makes it a significant concern.
CVE-2019-5625 is not listed on the CISA KEV catalog. The CVSS score of 2.8 (LOW) reflects the requirement for physical device access or malicious app installation, limiting the immediate exploitability. While no public proof-of-concept (PoC) code has been widely publicized, the vulnerability's nature makes it likely that exploit tools could be developed. The vulnerability was disclosed publicly on May 22, 2019, alongside the CVE assignment.
Users of the Halo Home Android application who have not upgraded to version 1.11.0 or later are at risk. This includes individuals who rely on the app to manage their smart home devices and those who may be less vigilant about device security practices, such as using strong passwords and enabling device lock.
• android / app:
# Check for the existence of the cleartext token file (example path - may vary)
adb shell 'ls /sdcard/HaloHome/tokens.txt'• android / app:
# Check app permissions for storage access
adb shell 'pm dump HaloHome | findstr "storage"'• android / app:
# Check for suspicious processes with elevated privileges
adb shell 'ps -A | grep HaloHome'disclosure
Exploit-Status
EPSS
0.08% (24% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-5625 is to immediately upgrade the Halo Home Android application to version 1.11.0 or later. This version addresses the vulnerability by securely storing OAuth tokens, preventing their exposure in plaintext. If upgrading is not immediately feasible, consider implementing device-level security measures such as enabling device encryption and requiring strong passwords or biometric authentication. Regularly review installed applications and remove any suspicious or unauthorized apps. Users should also be educated about the risks of installing apps from untrusted sources and the importance of keeping their devices secure. After upgrading, verify the fix by confirming that OAuth tokens are no longer stored in a plaintext file using a file explorer on the device.
Aktualisieren Sie die Halo Home Anwendung auf Version 1.11.0 oder höher aus dem Android App Store. Diese Version behebt die unsichere Speicherung von OAuth Tokens. Als zusätzliche Maßnahme sollten Sie sich aus der Anwendung abmelden und das Gerät neu starten, um alle zuvor gespeicherten Tokens zu entfernen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-5625 is a vulnerability in the Halo Home Android app where OAuth tokens are stored in a cleartext file, potentially allowing unauthorized access to user accounts.
You are affected if you are using a version of the Halo Home Android app prior to 1.11.0. Upgrade to the latest version to resolve the issue.
Upgrade the Halo Home Android app to version 1.11.0 or later. As a temporary measure, log out and reboot your device.
There are no known active campaigns exploiting CVE-2019-5625, but the vulnerability remains a risk if the app is not updated.
Refer to the Halo Home security advisory published on May 22, 2019, for details on the vulnerability and the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine build.gradle-Datei hoch und wir sagen dir sofort, ob du betroffen bist.