1.11.1
CVE-2019-5625 affects the Halo Home Android application prior to version 1.11.0. This vulnerability involves the insecure storage of OAuth authentication and refresh access tokens in a cleartext file on the device. An attacker gaining physical access or compromising the device could potentially leverage these tokens to impersonate a legitimate user and access their personal information stored in the backend cloud service.
The primary impact of CVE-2019-5625 is unauthorized access to a user's Halo Home account and associated data. An attacker with physical access to the device or the ability to install a malicious application could extract the cleartext OAuth tokens. With these tokens, the attacker could then impersonate the user, viewing and modifying their settings, potentially controlling connected smart home devices. The blast radius is limited to the individual user's account and associated devices, but the potential for privacy breaches and unauthorized control is significant. This vulnerability highlights the importance of secure storage of sensitive credentials on mobile devices.
CVE-2019-5625 was publicly disclosed on May 22, 2019. There are no known active campaigns exploiting this specific vulnerability. Public proof-of-concept code is not widely available, likely due to the requirement for physical device access. The vulnerability's low CVSS score reflects the need for physical access, limiting its immediate exploitability. It was not added to the CISA KEV catalog.
Users of the Halo Home Android application who have not upgraded to version 1.11.0 or later are at risk. This includes individuals who rely on the app to manage their smart home devices and those who may be less vigilant about device security practices, such as using strong passwords and enabling device lock.
• android / app:
# Check for the existence of the cleartext token file (example path - may vary)
adb shell 'ls /sdcard/HaloHome/tokens.txt'• android / app:
# Check app permissions for storage access
adb shell 'pm dump HaloHome | findstr "storage"'• android / app:
# Check for suspicious processes with elevated privileges
adb shell 'ps -A | grep HaloHome'disclosure
漏洞利用状态
EPSS
0.08% (24% 百分位)
CVSS 向量
The primary mitigation for CVE-2019-5625 is to upgrade the Halo Home Android application to version 1.11.0 or later. This version addresses the insecure storage of OAuth tokens. As a temporary workaround, users can manually log out of the application and reboot their device to clear the stored tokens, although this is not a complete solution. Consider implementing device lock policies and enabling two-factor authentication on the Halo Home account to add an additional layer of security. Regularly review app permissions granted to the Halo Home application.
从 Android 应用商店更新 Halo Home 应用程序至 1.11.0 或更高版本。此版本修复了 OAuth 令牌的不安全存储问题。作为额外的安全措施,请考虑注销应用程序并重新启动设备以删除任何先前存储的令牌。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-5625 is a vulnerability in the Halo Home Android app where OAuth tokens are stored in a cleartext file, potentially allowing unauthorized access to user accounts.
You are affected if you are using a version of the Halo Home Android app prior to 1.11.0. Upgrade to the latest version to resolve the issue.
Upgrade the Halo Home Android app to version 1.11.0 or later. As a temporary measure, log out and reboot your device.
There are no known active campaigns exploiting CVE-2019-5625, but the vulnerability remains a risk if the app is not updated.
Refer to the Halo Home security advisory published on May 22, 2019, for details on the vulnerability and the fix.
上传你的 build.gradle 文件,立即知道是否受影响。