CVE-2021-21823
An information disclosure vulnerability exists in the Friend finder functionality of GmbH Komoot version 10.26.9 up to 11.1.11. A specially crafted series of network requests can lead to the disclosure of sensitive information.
Komoot GmbH Komoot 10.26.9
Komoot GmbH Komoot 11.0.14
Komoot GmbH Komoot 11.1.11
5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-359 - Exposure of Private Information (‘Privacy Violation’)
Komoot is a route planner available for several devices (Android, iOS, and others). It is mostly used for planning outdoor activities like biking and hiking and features offline maps, turn-by-turn navigation and tour recording. Routes and past recordings can be saved online and shared with other users.
In the Komoot Android app, the friend finder feature in the user profile section allows to search for friends by name or email address. What it apparently does though is match the entered string, and suggest possible matches, even for substrings. Searching for “gmail”, “gmx”, “web.de” or similar will list a seemingly endless amount of email addresses of matching usernames. It is thus possible to look for and target people working for certain companies by simply specifying a domain name. The email addresses used to register an account are not searchable in that way. The ability to be found in a search can be disabled, but it is enabled by default.
Additionally, the substring search can be abused to identify profile IDs for accounts. For example, if searching for “123456” results in 10 accounts, adding a single number to it (so 1, or 2, or 3) would show a subset of the previous 10 accounts. It is possible to keep adding single digit numbers (while at least one profile is shown), until the profile ID length of 13 digits is reached, revealing the full profile ID.
Note that even though the profile ID for a specific profile is not secret, since it can be obtained through different means, this issue allows to enumerate all registered profile IDs registered in the platform by brute forcing single digit numbers one by one, making the search space very small.
Another issue, however unrelated from the substring search functionality, is that deleted accounts will not result in the deletion of the profile picture. We created a test account with ID 1963024692729, which was then deleted on April 20th, 5.38pm CEST. The image for that account is however still available at: https://d2exd72xrrp1s7.cloudfront.net/www/zx/zx3uli96uvjw14fsrz310f5903qutq15n-u1963024692729-full/178efac38f8?width=100&height=100&crop=true&q=75
2021-04-26 - Vendor Disclosure
2021-05-28 - Vendor Patched
2021-06-08 - Talos tested fix
2021-06-08 - Public Release
Discovered by Martin Zeiser of Cisco Talos.