CVE-2021-25648 - Privilege Escalation on Mobile Application "Testes de Código"


15-02-2021

Vulnerability Details

Vendor: TM Mobile Solutions <app@testes-codigo.pt>

Product: "Testes de Código" Mobile Application (Android & iOS)

About: The mobile application "Testes de Código" (tdc.testesdecodigo) let their users perform theoretical driving tests according to Portuguese traffic rules. The application also integrates a public forum to ask questions and chat for communication between students.
This is the #1 mobile app to practice theoretical driving tests in Portugal with 500.000+ installations on Android devices.

Affected version: Version 11.4 and earlier.

Problem type: Privilege escalation; Access to administrative interface

Description: The system relies on client-side storage of user permissions and an attacker may tamper the values of "isAdmin" and "isPremium" parameters. Consequently, an attacker may gain access to administrative interface that communicates with the backend API webserver.

Solution: Update the mobile application to version 12.1 or newer.

References:

  1. https://testes-codigo.pt/
  2. https://play.google.com/store/apps/details?id=tdc.testesdecodigo
  3. https://apps.apple.com/pt/app/testes-de-c%C3%B3digo-imt-2020/id1451809836

Timeline:

  1. 2021-01-13: Issue reported to vendor
  2. 2021-01-13: Vendor acknowledge and confirm the vulnerability
  3. 2021-02-02: Vendor fix the issue
  4. 2021-02-05: Released new software version v12.1
  5. 2021-02-15: Public disclosure

Reported by: João Varelas <varelas@pm.me>

← Go Back