Status:
Public
Vendor:
BUTTERFLY BUTTON PROJECT
Product:
BUTTERFLY BUTTON
CVE Description:
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in BUTTERFLY BUTTON PROJECT - BUTTERFLY BUTTON (Architecture flaw) allows loss of plausible deniability and confidentiality.
This issue affects BUTTERFLY BUTTON: As of 2023-08-21.
Further Details:
The SDK provided by the BUTTERFLY BUTTON PROJECT for the BUTTERFLY BUTTON host resources on various websites that can easily be enumerated.
As a result - the solution, which is aimed at helping persons undergoing domestic abuse, provides a false sense of security; In addition to computer
bourne monitoring, Network monitoring can also disclose the communications with the project.
The researcher credited, Erez Kalman, has shown his repeated attempts to contact the project for them to fix the architecture and offered
free assistance in securing it, but was ignored.
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS 3.1 Risk:
HIGH
CVSS 3.1 Score:
7.5
CVSS Metrics:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Links:
https://butterfly-button.web.app
https://github.com/TheButterflySDK
CVE Published:
2023-08-21
CVE Updated:
2023-08-22
Credit:
Erez Kalman