CVE-2023-36620

Name of the Vulnerable Software and Affected Versions Boomerang Parental Control application versions prior to 13.83 for Android

Description An issue was discovered in the Boomerang Parental Control application where the app is missing the android:allowBackup="false" attribute in the manifest. This allows a user to backup the internal memory of the app to a PC, giving them access to the API token used to authenticate requests to the API. This vulnerability can be exploited by an attacker with physical access to the device, potentially allowing them to take over the admin control panel and spy on a kid. The estimated number of potentially affected devices is over 100,000.

Recommendations For versions prior to 13.83, update to version 13.83 or later to resolve the issue. As a temporary workaround, consider restricting access to the device to minimize the risk of exploitation. Additionally, users should be cautious when granting physical access to their devices to prevent potential attacks.