moPS App Unauthenticated Access to Administrative API Endpoints Vulnerability

A vulnerability in the moPS App by MOPS GmbH, affecting versions through 1.8.618 on Windows, iOS, and Android, allows all users to access administrative API endpoints without proper authentication. This flaw grants unrestricted read and write access, enabling potential manipulation of critical data. Such actions could disrupt civil protection and disaster control efforts, particularly in regions where the app is deployed, including various Austrian states, ASFINAG, and the German Federal Police.

Impact

Exploitation of this vulnerability could lead to unauthorized access and modification of data within the application, with possible repercussions on systems and operations related to civil protection and disaster management.

Reproduction

The vulnerability can be reproduced by sending requests to the administrative API endpoints without any authentication. This can be done using tools like curl or through a custom application that interacts with the API. The absence of authentication checks allows the requests to be processed with full administrative privileges.

Remediation

Users are advised to update the moPS App to version 1.8.619 or later. After updating, verify all contact data and reset passwords, as they may have been compromised.