Mucahit Ic

**Name of the Vulnerable Software and Affected Versions** Tap&Sign App versions prior to V.1.025 **Description** The issue concerns a Weak Password Recovery Mechanism for Forgotten Password, allowing password recovery exploitation and functionality misuse in the Tap&Sign App. It also involves cleartext storage of sensitive information in an environment variable. **Recommendations** For versions prior to V.1.025, update to version V.1.025 or later to resolve the issue. As a temporary workaround, consider restricting access to the password recovery mechanism until the update is applied. Avoid using the password recovery feature in the affected versions to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Pik Online versions through 05.03.2025 **Description** The issue allows for Authorization Bypass Through User-Controlled Key and Exposure of Private Personal Information to an unauthorized actor. This can lead to Account Footprinting and Session Hijacking. The vendor was contacted about this disclosure but did not respond. **Recommendations** For versions through 05.03.2025, at the moment, there is no information about a newer version that contains a fix for this vulnerability.