// For flags

CVE-2019-5625

Eaton Halo Home Android App Insecure Storage

Severity Score

7.1
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Android mobile application Halo Home before 1.11.0 stores OAuth authentication and refresh access tokens in a clear text file. This file persists until the user logs out of the application and reboots the device. This vulnerability can allow an attacker to impersonate the legitimate user by reusing the stored OAuth token, thus allowing them to view and change the user's personal information stored in the backend cloud service. The attacker would first need to gain physical control of the Android device or compromise it with a malicious app.

La aplicación móvil de Android Halo Home versión anterior a 1.11.0, almacena la autenticación OAuth y actualiza los tokens de acceso en un archivo de texto sin cifrar. Este archivo persiste hasta que el usuario termina la sesión de la aplicación y reinicia el dispositivo. Esta vulnerabilidad puede permitir a un atacante suplantar al usuario legítimo al reutilizar el OAuth token almacenado, lo que les permite ver y cambiar la información personal del usuario almacenada en el servicio backend cloud service. El atacante primero tendría que obtener el control físico del dispositivo Android o comprometerlo con una app maliciosa.

*Credits: This vulnerability was discovered by Rapid7 researcher Deral Heiland.
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-07 CVE Reserved
  • 2019-05-22 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-522: Insufficiently Protected Credentials
  • CWE-922: Insecure Storage of Sensitive Information
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Eaton
Search vendor "Eaton"
Halo Home
Search vendor "Eaton" for product "Halo Home"
1.9.0
Search vendor "Eaton" for product "Halo Home" and version "1.9.0"
android
Affected