lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAHmS9PJzdk72xjjYRdNPP1iCGv8g=2TcDztPr2WP10OW0-LKqw@mail.gmail.com> Date: Tue, 26 Nov 2019 09:50:59 -0500 From: David Coomber <davidcoomber.infosec@...il.com> To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com Subject: [FD] Anhui Huami Mi Fit Android Application - Unencrypted Update Check Anhui Huami Mi Fit Android Application - Unencrypted Update Check -- https://www.info-sec.ca/advisories/Huami-Mi-Fit.html Overview "Mi Fit tracks your activity, analyzes sleep, and evaluates your workouts." (https://play.google.com/store/apps/details?id=com.xiaomi.hm.health) Issue The Anhui Huami Mi Fit Android application (version 4.0.10 and below), does not encrypt the connection when it checks for an update. Impact An attacker who can monitor network traffic may be able to tamper with the application's update function. Timeline October 21, 2019 - Attempted to obtain a security contact via an email to support@...zfit.com October 22, 2019 - Provided the details to CERT/CC October 23, 2019 - CERT/CC opened a case for tracking November 4, 2019 - Attempted to obtain a security contact via an email to security@...omi.com Solution Upgrade to version 4.0.11 or later _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists