BlackVue App Hardcoded Secrets Exposure Vulnerability

A vulnerability exists in BlackVue App version 3.65 for Android, where hardcoded secrets, specifically BCS_TOKEN and SECRET_KEY, are exposed in plaintext. This vulnerability arises from the improper handling of these secrets within the API Endpoint Handler component, leading to unprotected storage of credentials. Local access is required to exploit this issue, but the consequences can be significant, allowing for unauthorized access to sensitive information and potential manipulation of the application or connected devices.

Impact

The exposure of hardcoded secrets in plaintext can lead to unauthorized access and actions within the application, including privileged API requests that could modify settings or control connected devices.

Reproduction

The vulnerability can be reproduced by accessing the BlackVue App version 3.65 on Android. The BCS_TOKEN and SECRET_KEY are exposed in plaintext within the app's APK, and the BCS_SIGNATURE can be easily computed. With the user token, which is transmitted via GET parameter, an attacker can make privileged requests to the application's API.