Zizai Tech Nut contains multiple vulnerabilities including sensitive information exposure and missing authentication.
CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6547
The Nut mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.
These vulnerabilities may allow a remote attacker to track a user's location without their consent.
The CERT/CC is currently unaware of a practical solution to this problem.
Use with caution
Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.
This document was written by Trent Novelly.