Noelse Individuals & Pro App Segment Write Key Exposure Vulnerability

A vulnerability exists in the Noelse Individuals & Pro App for Android, specifically in versions up to 2.1.7. The issue arises from a hard-coded Segment write key found in the application's BuildConfig.java file. This key can be extracted through reverse engineering and used to send arbitrary tracking events or modify user profiles via Segment's API. Such exploitation could inject fraudulent analytics data, corrupting business intelligence, disrupting user segmentation, and misusing downstream systems that rely on this data.

Impact

Exploitation of this vulnerability allows for the injection of fraudulent analytics data and manipulation of user profiles, potentially leading to corrupted business intelligence and incorrect user segmentation.

Reproduction

The vulnerability can be reproduced by downloading the Noelse Individuals & Pro App on an Android device, version 2.1.7 or earlier. After installation, the app can be reverse-engineered to access the hard-coded Segment write key in the BuildConfig.java file. Once obtained, this key can be used to send fake tracking events or alter user profiles through Segment's API.