CVE-2020-8792

Name of the Vulnerable Software and Affected Versions OKLOK mobile companion app version 3.1.1 Fingerprint Bluetooth Padlock FB50 version 2.3

Description The mobile app has an information-exposure issue. When attempting to add an already-bound lock by its barcode, the app reveals the email address of the account to which the lock is bound, as well as the name of the lock. The barcode strings follow a predictable pattern, making it easy to guess valid inputs. As a result, correctly guessed valid barcode inputs entered through the app interface can disclose arbitrary users' email addresses and lock names.

Recommendations For OKLOK mobile companion app version 3.1.1, consider implementing a more secure barcode generation mechanism to prevent predictable patterns. For Fingerprint Bluetooth Padlock FB50 version 2.3, restrict access to the lock's barcode input feature until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.