CVE-2019-13098

Name of the Vulnerable Software and Affected Versions TronLink Wallet version 2.2.0

Description The issue concerns the storage of user passwords in logs when the CreateWalletTwoActivity class is called via the registration form. This allows other authenticated users to read the password from the log later. The logged data can be accessed using Logcat on the device. On platforms prior to Android 4.1 (Jelly Bean), the log data is not sandboxed per application, enabling any installed application to read data logged by other applications.

Recommendations For TronLink Wallet version 2.2.0, consider restricting access to the log data to prevent unauthorized users from reading sensitive information. As a temporary workaround, avoid using the registration form until a patch is available. Additionally, restrict the use of the CreateWalletTwoActivity class to minimize the risk of password exposure.