CVE-2022-24187

Published: Nov 28, 2022

Modified: Apr 29, 2025

PUBLISHED

Description

The user_id and device_id on the Ourphoto App version 1.4.1 /device/* end-points both suffer from insecure direct object reference vulnerabilities. Other end-users user_id and device_id values can be enumerated by incrementing or decrementing id numbers. The impact of this vulnerability allows an attacker to discover sensitive information such as end-user email addresses, and their unique frame_token value of all other Ourphoto App end-users.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://apps.apple.com/us/app/ourphoto-keep-our-memories/id1476241568

https://www.scrawledsecurityblog.com/2022/11/automating-unsolicited-richard-pics.html

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-24187

Description

Affected Products

References