Ullu Parental Control Bypass Vulnerability

A vulnerability allowing the bypass of parental controls has been identified in the Ullu app for Android (version 2.9.929) and iOS (version 2.8.0), as well as on the Ullu web platform. This vulnerability arises from incorrect access control, which enables attackers to manipulate the parental PIN feature. On the web, the absence of rate-limiting allows for automated brute-force attacks on the PIN, while on mobile devices, intercepted PIN attempts can be replayed or manually tested.

Impact

Exploiting this vulnerability bypasses parental controls, granting unauthorized access to adult content and potentially violating legal protections against underage exposure.

Reproduction

To reproduce this vulnerability on the Ullu web platform, intercept the HTTP request that includes the parental PIN. Then, use a tool like Burp Intruder or a custom script to automate the brute-force attack by sending repeated requests with PIN combinations until the correct one is found. For the mobile app, the PIN can be brute-forced manually by trying all combinations or automatically by intercepting the PIN entry with a tool like Frida, then replaying the attempts until the correct PIN is identified.