Vulnerability Note VU#402847
Zizai Tech Nut contains multiple vulnerabilities
Zizai Tech Nut contains multiple vulnerabilities including sensitive information exposure and missing authentication.
CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6547
The Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.
These vulnerabilities may allow a remote attacker to track a user's location without their consent.
The CERT/CC is currently unaware of a practical solution to this problem.
Use with caution
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Zizai Tech||Affected||13 Sep 2016||25 Oct 2016|
CVSS Metrics (Learn More)
Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.
This document was written by Trent Novelly.
- CVE IDs: CVE-2016-6547 CVE-2016-6548 CVE-2016-6549
- Date Public: 25 Oct 2016
- Date First Published: 25 Oct 2016
- Date Last Updated: 25 Oct 2016
- Document Revision: 23
If you have feedback, comments, or additional information about this vulnerability, please send us email.