CVE-2022-0732

Description

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.

Affected products

• 1Byte / Copy9All – All
• 1Byte / ExactSpyAll – All
• 1Byte / FoneTrackerAll – All
• 1Byte / GuestSpyAll – All
• 1Byte / iSpyooAll – All
• 1Byte / MxSpyAll – All
• 1Byte / SecondCloneAll – All
• 1Byte / TheSpyAppAll – All
• 1Byte / The Truth SpyAll – All

References

• MISChttps://www.kb.cert.org/vuls/id/229438
• MISChttps://cwe.mitre.org/data/definitions/284.html
• MISChttps://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/
• MISChttps://kb.cert.org/vuls/id/229438