प्लेटफ़ॉर्म
android
घटक
halo-home-android-app
में ठीक किया गया
1.11.1
CVE-2019-5625 affects the Halo Home Android application prior to version 1.11.0. This vulnerability involves the insecure storage of OAuth authentication and refresh access tokens in a cleartext file on the device. An attacker gaining physical access or compromising the device could potentially leverage these tokens to impersonate a legitimate user and access their personal information stored in the backend cloud service.
The primary impact of CVE-2019-5625 is unauthorized access to a user's Halo Home account and associated data. An attacker with physical access to the device or the ability to install a malicious application could extract the cleartext OAuth tokens. With these tokens, the attacker could then impersonate the user, viewing and modifying their settings, potentially controlling connected smart home devices. The blast radius is limited to the individual user's account and associated devices, but the potential for privacy breaches and unauthorized control is significant. This vulnerability highlights the importance of secure storage of sensitive credentials on mobile devices.
CVE-2019-5625 was publicly disclosed on May 22, 2019. There are no known active campaigns exploiting this specific vulnerability. Public proof-of-concept code is not widely available, likely due to the requirement for physical device access. The vulnerability's low CVSS score reflects the need for physical access, limiting its immediate exploitability. It was not added to the CISA KEV catalog.
Users of the Halo Home Android application who have not upgraded to version 1.11.0 or later are at risk. This includes individuals who rely on the app to manage their smart home devices and those who may be less vigilant about device security practices, such as using strong passwords and enabling device lock.
• android / app:
# Check for the existence of the cleartext token file (example path - may vary)
adb shell 'ls /sdcard/HaloHome/tokens.txt'• android / app:
# Check app permissions for storage access
adb shell 'pm dump HaloHome | findstr "storage"'• android / app:
# Check for suspicious processes with elevated privileges
adb shell 'ps -A | grep HaloHome'disclosure
एक्सप्लॉइट स्थिति
EPSS
0.08% (24% शतमक)
CVSS वेक्टर
The primary mitigation for CVE-2019-5625 is to upgrade the Halo Home Android application to version 1.11.0 or later. This version addresses the insecure storage of OAuth tokens. As a temporary workaround, users can manually log out of the application and reboot their device to clear the stored tokens, although this is not a complete solution. Consider implementing device lock policies and enabling two-factor authentication on the Halo Home account to add an additional layer of security. Regularly review app permissions granted to the Halo Home application.
एंड्रॉइड ऐप स्टोर से हेलो होम एप्लिकेशन को संस्करण 1.11.0 या बाद के संस्करण में अपडेट करें। यह संस्करण OAuth टोकन के असुरक्षित भंडारण को ठीक करता है। अतिरिक्त उपाय के रूप में, किसी भी पहले से संग्रहीत टोकन को हटाने के लिए एप्लिकेशन से लॉग आउट करने और डिवाइस को रीबूट करने पर विचार करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2019-5625 is a vulnerability in the Halo Home Android app where OAuth tokens are stored in a cleartext file, potentially allowing unauthorized access to user accounts.
You are affected if you are using a version of the Halo Home Android app prior to 1.11.0. Upgrade to the latest version to resolve the issue.
Upgrade the Halo Home Android app to version 1.11.0 or later. As a temporary measure, log out and reboot your device.
There are no known active campaigns exploiting CVE-2019-5625, but the vulnerability remains a risk if the app is not updated.
Refer to the Halo Home security advisory published on May 22, 2019, for details on the vulnerability and the fix.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी build.gradle फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।