A pair of bugs in the Snap-owned tracking app reveal phone numbers and allow account hijacking.
Zenly, a social app from Snap that allows users to see the locations of friends and family on a live map, contains a pair of vulnerabilities that could endanger those being tracked.
According to the Checkmarx Security Research Team, the bugs are a user-data exposure vulnerability and an account-takeover vulnerability. Both have been patched, and users should upgrade their apps to the latest version to avoid compromise.
The first bug is a medium-severity problem that reveals the phone numbers of users.
“When submitting a friend request to a user, Zenly will allow access to their phone number regardless of whether the friend request is accepted or not,” explained the researchers, in a Thursday posting. “To obtain this information, a malicious actor only needs to know their username.”
Obtaining usernames is easier than it might be, they added, since Zenly exposes an “exhaustive list of friends of a user.”
As for how an attack might play out in practice, Checkmarx offered a hypothetical of a cyberattacker targeting a CEO.
Steps in the kill chain would include the