Mobile Spy Insecure Password Storage Information Disclosure Vulnerability

Bugtraq ID:	26177
Class:	Design Error
CVE:	CVE-2007-5778
Remote:	No
Local:	Yes
Published:	Oct 23 2007 12:00AM
Updated:	Nov 15 2007 12:38AM
Credit:	Seth Fogie is credited with the discovery of this issue.
Vulnerable:	Mobile-Spy Mobile-Spy 0
Not Vulnerable:

Mobile Spy Insecure Password Storage Information Disclosure Vulnerability

Mobile Spy is prone to an information-disclosure vulnerability because it fails to securely store username and password data.

Users of a phone can gain control of the application as well as full access to the related webservice account.

Mobile Spy Insecure Password Storage Information Disclosure Vulnerability

An attacker can leverage this issue by accessing a phone that has the application installed on it.

Mobile Spy Insecure Password Storage Information Disclosure Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Mobile Spy Insecure Password Storage Information Disclosure Vulnerability

References:

• Inside Mobile-spy "Spouseware," Part 1 (InformIT)
  
• Inside Mobile-spy "Spouseware," Part 2 (InformIT)
  
• Vendor Homepage (Mobile-Spy)
  
• Airscanner Mobile Security Advisory #07101401: Mobile-spy Victim/User Phone/SMS/ (Seth Fogie )