Security Advisory: Ustream Mobile Application
Advisory Title: Ustream Mobile Application Information Disclosure Vulnerability
Internal ID: STRATSEC-2012-001
External ID: CVE Pending
Date discovered: August 6, 2012
Date reported: August 10, 2012
Date published: October 3, 2012
Current status: Reported to Vendor, not yet fixed
Discovered by: Beau Woods, Stratigos Security
Vendor: Ustream (USTREAM.TV)
Affected product: Ustream mobile application
Platform: iOS (confirmed); likely other versions (unconfirmed)
Version: 2.3.1 (confirmed); likely previous versions (unconfirmed)
Severity: 4.7 (CVSS v2)
Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.
The formal advisory is published here: Security Advisory STRAT-2012-001 Ustream Mobile Application Information Disclosure Vulnerability
Comments