CVE-2020-8791

Name of the Vulnerable Software and Affected Versions OKLOK mobile companion app version 3.1.1 Fingerprint Bluetooth Padlock FB50 version 2.3

Description The issue allows remote attackers to submit API requests using authenticated but unauthorized tokens, resulting in IDOR issues. A remote attacker can use their own token to make unauthorized API requests on behalf of arbitrary user IDs. Valid and current user IDs are trivial to guess because of the user ID assignment convention used by the app. A remote attacker could harvest email addresses, unsalted MD5 password hashes, owner-assigned lock names, and owner-assigned fingerprint names for any range of arbitrary user IDs.

Recommendations For OKLOK mobile companion app version 3.1.1, consider disabling the use of authenticated tokens until a patch is available. For Fingerprint Bluetooth Padlock FB50 version 2.3, restrict access to the API endpoints to minimize the risk of exploitation. Avoid using the user ID variable in the affected API requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.