AVTECH EagleEyes Lite Cleartext Transmission of Sensitive Information Vulnerability

A vulnerability in AVTECH EagleEyes Lite version 2.0.0 allows for the cleartext transmission of sensitive information, including internal server URLs, account IDs, passwords, and device tokens. This data is sent as plaintext query parameters over HTTPS, exposing it to interception by malicious actors. The issue arises in the 'GetHttpsResponse' method, which, on Android versions prior to 8.0, embeds sensitive information directly in the URL query string. This vulnerability undermines the confidentiality of user data and poses a significant risk when the application is used on untrusted networks.

Impact

Exploitation of this vulnerability leads to the leakage of sensitive user information, including credentials and authentication tokens, which could be used for unauthorized access to AVTECH CCTV systems.

Reproduction

The vulnerability can be reproduced by using the AVTECH EagleEyes Lite application version 2.0.0 on an Android device running a version prior to 8.0. When the 'GetHttpsResponse' method is called, sensitive information such as account IDs and passwords is transmitted in plaintext within the URL query parameters of the HTTPS request. This can be confirmed by intercepting the network traffic or by using a Frida hooking script to capture the request details.

Remediation

Users are advised to avoid including sensitive information in URL query parameters. Instead, credentials should be transmitted securely in the body of HTTPS requests using POST parameters, to prevent exposure in URLs, logs, or through intermediary systems.