Vulnerabilities

CVE-2021-40527

by Fred · 25/10/2021

Exposure of senstive information to an unauthorised actor in the "com.onepeloton.erlich" mobile application up to and including version 1.7.22 allows a remote attacker to access developer files stored in an AWS S3 bucket, by reading credentials stored in plain text within the mobile application.

Date published : 2021-10-25

In light of our disclosure, @onepeloton released firmware version PTX14B last week for affected devices, which they have indicated fully mitigate these vulnerabilities. @McAfee_ATR has not been able to independently verify the patch's effectiveness at this time. 2/2

— Mark Bereza 🇺🇦 (@ROPsicle) September 15, 2021

Similar

Tags: Cybersecurity Alert