Issue 59: Vulnerabilities in Fortinet, Truecaller, Nykaa Fashion, SMA M2 smartwatch

Issue 59: Vulnerabilities in Fortinet, Truecaller, Nykaa Fashion, SMA M2 smartwatch

This week is all about API vulnerabilities. We found them everywhere: from client to cloud communications of Fortinet products to avatar hacks in Truecaller app,  an authentication flaw in Nykaa Fashion, and yet another kids smartwatch system with almost total lack of security.


Vulnerability: Fortinet


Researchers from SEC Consult have found bad implementation in various Fortinet products. Embarrassingly, these were security products, including FortiGuard Web Filter, FortiGuard AntiSpam, and FortiGuard AntiVirus. Turns out that the implementation of communications between their clients and their cloud backend left a lot to be desired.


All of the products rely on UDP and HTTP POST calls to send data from local clients to the cloud service. This data includes, for example:


  • Fortinet serial number

  • Full URLs in browsing history for FortiGuard Web Filter

  • Email data for FortiGuard AntiSpam

  • Unspecified data for FortiGuard AntiVirus

  • For some reason, instead of using standard encryption protocols, the products were simply applying XOR operations on the data. Even worse, they were XORing the data with a hard-coded key. This meant that anyone who had found this key could easily decrypt, read, and modify traffic.


    Reinventing the wheel in security is a bad idea. Using established encryption protocols and standards and their off-the-shelf implementation makes your product a lot more secure.


    Vulnerability: Truecaller


    Ehraz Ahmed had a good week with two API vulnerabilities that he had found getting disclosed.


    The first one is a vulnerability in Truecaller. Truecaller is a mobile app that uses crowdsourcing to r ..

    Support the originator by clicking the read the rest link below.