The Grandstream Wave application version 1.0.1.26 periodically queries the Grandstream server for app updates. If a new update is found, the app shows a notification to the user that either opens the app's Google Play page or auto-downloads the APK file and opens it for installation. The update information is downloaded over an insecure connection from `media.ipvideotalk.com` and contains the version code and the update URL. An active attacker can redirect this request and trick the user into downloading a malicious update package
c530b1e4af62da81fc070ef71c1611d62d2872d39d07e2b965fb3fe3445fd447
Grandstream VoIP products deploy a remote provisioning mechanism that allows to automatically set configuration elements on app startup. By default, an insecure connection to `fm.grandstream.com` is used to obtain the provisioning profile. However, even if an HTTPS URL is configured, the certificate is not validated, allowing an active attacker to successfully impersonate the provisioning server with an invalid, mismatching or outdated certificate.
e07ded7e5b842693413e62a615f10b879e181af670786c29c60e322c6aec3f73
The Grandstream VoIP products deploy a remote provisioning mechanism that allows to automatically set configuration elements on phone/app startup. By default, an insecure connection to `fm.grandstream.com` is used to obtain the provisioning profile. An active attacker can redirect this request and change arbitrary values of the configuration. This allows to redirect phone calls through a malicious server, turn the phone into a bug, change passwords, and exfiltrate system logs (including the phone numbers dialed by the user).
d1b894d5b6d9a118fe3fc810c4b4021f3cba247d9652471c993cfbcaf8b5e96a
Smack XMPP library for Java suffers for a man-in-the-middle vulnerability. Versions 4.0.0 and 4.0.1 are affected.
cc79aa40f99651e357445431f6e8d8c60ecbebbfc96fefd016f0aff6670bf205
Instagram for Android suffers from a partial cryptographic authentication issue and also hard codes a secret key in the application.
fe4ecab0cd3f2337a6c819fe2cd9a3cdca982c55e8e4679b44d218f444dacefb