The vulnerability in Shazam was identified in 2019 but the details of it were only revealed last week.
Can’t find out what’s the name of that song on television? You know who’ll help – Shazam. Recently though, a vulnerability found in the popular app which could allow a malicious actor to know a victim’s location has come to light.
The vulnerability affected more than 100 million users at the time having the potential to compromise the physical security of these users marking its severity.
Termed as CVE-2019-8791 and CVE-2019-8792; the vulnerability was discovered by a British IT security researcher Ashley King. It is noteworthy that the issue was also found back in 2018 whereafter it was reported in December the same year to the company.
However, due to Shazam having been acquired then by Apple, Ashley was asked to take up the issue with Apple which led the flaw to be finally patched on March 26, 2019, both on iOS and Android without any reward being handed out to him.
Talking about the vulnerability, how it worked was that an attacker could send a malicious link to their intended victim. If the victim opened it, this would automatically open the Shazam app and execute the malware resulting in the victim’s location data being sent to the attacker.
