Home CVE-2021-25648 - Privilege Escalation in Mobile Application Testes de Código

CVE-2021-25648 - Privilege Escalation in Mobile Application Testes de Código


Vulnerability Details

Vendor: TM Mobile Solutions app@testes-codigo.pt

Product: “Testes de Código” Mobile Application (Android & iOS)

About: The mobile application “Testes de Código” (tdc.testesdecodigo) let their users perform theoretical driving tests according to Portuguese traffic rules. The application also integrates a public forum to ask questions and chat for communication between students. This is the #1 mobile app to practice theoretical driving tests in Portugal with 500.000+ installations on Android devices.

Affected version: Version 11.4 and earlier.

Problem type: Privilege escalation; Access to administrative interface

Description: The system relies on client-side storage of user permissions and an attacker may tamper the values of “isAdmin” and “isPremium” parameters. Consequently, an attacker may gain access to administrative interface that communicates with the backend API webserver.

Solution: Update the mobile application to version 12.1 or newer.


  • https://testes-codigo.pt/
  • https://play.google.com/store/apps/details?id=tdc.testesdecodigo
  • https://apps.apple.com/pt/app/testes-de-c%C3%B3digo-imt-2020/id1451809836


  • 2021-01-13: Issue reported to vendor
  • 2021-01-13: Vendor acknowledge and confirm the vulnerability
  • 2021-02-02: Vendor fix the issue
  • 2021-02-05: Released new software version v12.1
  • 2021-02-15: Public disclosure

Reported by: João Varelas joaomvarelas@gmail.com

This post is licensed under CC BY 4.0 by the author.