Insecure Session Management and Password Transmission in iTrack Easy

Insecure Session Management and Password Transmission in iTrack Easy

CVE-2016-6545 · MEDIUM Severity

AV:N/AC:L/AU:N/C:P/I:N/A:N

Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request. In this implementation, sessions can only be terminated when the user changes the associated password.

Learn more about our User Device Pen Test.