Splashin iOS Location Data Access Vulnerability

A vulnerability in the Splashin iOS application, version 2.0, allows unauthorized access to location data for specific users. This issue arises from insecure permissions that fail to properly validate subscription levels, enabling free-tier users to access premium features such as real-time location updates and location request capabilities. The vulnerability exploits the application's backend, which does not enforce subscription-based access controls, leaving user privacy at risk and potentially causing revenue loss for the service.

Impact

Exploitation of this vulnerability allows free users to access real-time location data and activities of premium users, bypassing the intended update intervals. This not only violates user privacy but also undermines the application's subscription model, leading to potential revenue loss.

Reproduction

The vulnerability can be reproduced by intercepting the application's API requests using a tool like Charles Proxy. Free users can bypass the 10-minute location update restriction by directly calling the 'get_user_locations_by_user_ids_minimal' endpoint at shorter intervals. Additionally, free users can exploit the 'location-request' endpoint, which is supposed to be a premium feature, to force immediate location updates from premium users.

Remediation

To address this vulnerability, it is recommended to implement server-side subscription validation on the affected API endpoints. This includes checking a user's subscription level before processing location data requests or location update requests. Additionally, rate limiting should be applied to prevent abuse of these features.