BabyChakra Pregnancy & Parenting App Segment Write Key Exposure Vulnerability

A vulnerability exists in the BabyChakra Pregnancy & Parenting App for Android, in versions prior to 5.4.3.0. The issue arises from a hardcoded Segment write key in the application's Configuration.java file. This key can be extracted through reverse engineering and used to send arbitrary tracking events or modify user profiles via Segment's API. Such exploitation could inject fraudulent analytics data, corrupt business intelligence, disrupt user segmentation, and misuse related downstream systems.

Impact

Exploitation of this vulnerability allows for unauthorized access to the Segment write key, which can be used to manipulate user profiles and inject false analytics data into the application. This could lead to a misrepresentation of user engagement and behavior, potentially disrupting business operations that rely on accurate data.

Reproduction

The vulnerability can be reproduced by downloading the BabyChakra Pregnancy & Parenting App version 5.4.3.0 or earlier. After installing the app, the Segment write key can be extracted from the Configuration.java file through reverse engineering. Once obtained, this key can be used to send fake tracking events or alter user profiles via Segment's API.