CVE-2022-36782

Name of the Vulnerable Software and Affected Versions Pal Electronics Systems (affected versions not specified)

Description The issue is an authorization problem in the PalGate device management Android client app, affecting gates of buildings and parking lots controlled by a simple button in any smartphone. An attacker can iterate over all IoT devices to see every entry and exit on every gate and device worldwide. They can also scrape the server to create a user's database with full names and phone numbers of over 2.8 million users and track users' movements in and out of gates, even in real-time. The API was discovered through decompiling and static research using Jadx, and dynamic analysis using Frida.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.