Kaymera CipherBond App Debug Logs Handling Issue. FIXED.
Summary
Kaymera Technologies has announced today that a critical vulnerability was found in our app, examined and remediated – increasing our stronghold protection, firm and reliable more than ever.
The vulnerability was related to a debugging level that led to log meta data relating to users’ activity, with a theoretical potential of loss of information confidentiality.
The vulnerability was identified and brought to our attention by our client, the Cyber Security department of Assicurazioni Generali.
Fixes
If you are using a lower than 10.11.14 on iOS and 10.2.36 on Android version of the CipherBond Application you can upgrade the app version to fix this issue simply going to Google Play Store and App store and installing the update.
Check the version after a new one is installed. No further action is required from clients and users at this point.
- If the CipherBond Android version is lower than 10.2.36, upgrade it here.
- If the CipherBond version IOS version is lower than 10.11.14, upgrade it here.
Description
As of 26.3.2021, a critical vulnerability was found in Kaymera’s CipherBond application Android and iOS version, available on Google Play Store and App Store.
The vulnerability was brought to our attention by our client and collaborator, the Cyber Security department of Assicurazioni Generali.
This particular issue was related to a debugging log and its improper handling. If an attacker had access to the Kaymera management console or to a rooted android device, it was possible to retrieve logs with messages and VoIP metadata, which could have led to a potential loss of confidentiality for data relating to the activity of the affected users.
Within several hours after the issue was diagnosed and closely studied by our security experts, Kaymera’s development and security teams have started working on fixing the issue according to a defined remediation plan, to reaffirm our client’s confidence in our product and credibility.
Based on our investigations, Kaymera’s security team has verified and confirmed that there was no unauthorized access to any of users’ environments in regards with this vulnerability – affirming that no data of our clients was involved. It is also worth noting that even if the issue could have any potential to involve users’ environments, it would have affected only clients with access to Kaymera Security Command Center, which includes an additional layer of security verification in the form of Admin access rights by default.
We are continuing working with relevant customers to update the methodology and workflow of diagnostic logs handling to adopt a completely new process. Kaymera’s team has also uploaded an updated listing of the CipherBond app that is free from this vulnerability to Google Play Store and App Store with both versions approved.
Corrective and preventive measures
Having analyzed the incident in-depth, our team has designed a new procedure, which was evaluated as an effective measure to prevent similar incidents in the future. The updated process will affect log code management, admin end-user limitations, test log QA procedures, and logs deletion.
We take this incident very seriously, and are conducting a thorough review of our internal processes to ensure this does not occur again for any of our clients. We at Kaymera, same as our clients, have zero-tolerance for any potential security incidents and therefore we keep in mind to excel in our products and services, taking into account any potential vulnerability, thus elevating our strong commitment to our clients.
If you have any questions, please feel free to raise our support helpdesk a request at support@kaymera.com
Sincerely,
Kaymera Technologies