Home > Security Advisories > Security Advisory: Ustream Mobile Application

Security Advisory: Ustream Mobile Application

October 3, 2012

Security Advisory: Ustream Mobile Application

  • Advisory Title: Ustream Mobile Application Information Disclosure Vulnerability
  • Internal ID: STRATSEC-2012-001
  • External ID: CVE Pending
  • Date discovered: August 6, 2012
  • Date reported: August 10, 2012
  • Date published: October 3, 2012
  • Current status: Reported to Vendor, not yet fixed
  • Discovered by: Beau Woods, Stratigos Security
  • Vendor: Ustream (USTREAM.TV)
  • Affected product: Ustream mobile application
  • Platform: iOS (confirmed); likely other versions (unconfirmed)
  • Version: 2.3.1 (confirmed); likely previous versions (unconfirmed)
  • Severity: 4.7 (CVSS v2)

Stratigos Security became aware of a vulnerability in the Ustream iOS application and reported the issue to Ustream on August 10, 2012. As of October 3, 2012 Ustream had not yet fixed the issue, nor did they have a projected date for issuing a fix. Therefore, Stratigos Security has gone ahead and released details of this as yet unpatched vulnerability to the public. We do not like to do this, nor do we take the decision lightly. However, given the fact that some individuals using the application are doing so under conditions whereby the information disclosed could lead to their identification by repressive governments and bodily harm to them or their friends and family, we are releasing this information publically. It is highly likely that those who would exploit the vulnerability already know about it, whereas the potential victims are likely unaware.

The formal advisory is published here: Security Advisory STRAT-2012-001 Ustream Mobile Application Information Disclosure Vulnerability