{"vuid":"VU#704916","idnumber":"704916","name":"The TigerText Free Consumer Private Texting App (iOS) sends unencrypted user information in support requests","keywords":["tigertext","ios","sms","texting","app"],"overview":"The TigerText Free Consumer Private Texting App (iOS) sends unencrypted user information to TigerText support.","clean_desc":"The TigerText app generates an unencrypted log file containing the TigerText username and password on the device when a user taps on \"Contact Customer Support.\"  An email is generated to support that sends the log information with it. This does not impact the TigerText Pro application.","impact":"TigerText usernames and passwords may be viewable by TigerText support or others with access to the device or email. A recipient of the email containing the log file could use credentials to impersonate the user, gaining unauthorized access to any non-expired messages.","resolution":"Apply an Update\nAn updated app is available from the iTunes App Store. Version 3.1.402 or above contains a patch that removes sensitive information from the log file. The latest version is available here: https://itunes.apple.com/us/app/tiger-text/id355832697?mt=8","workarounds":"","sysaffected":"","thanks":"Thanks to Pedro Paixao for reporting this vulnerability.","author":"This document was written by Chris King.","public":["https://itunes.apple.com/us/app/tiger-text/id355832697?mt=8","http://cwe.mitre.org/data/definitions/260.html"],"cveids":["CVE-2013-0128"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2013-01-22T15:24:22Z","publicdate":"2013-04-02T00:00:00Z","datefirstpublished":"2013-04-02T15:33:02Z","dateupdated":"2013-04-02T15:33:04Z","revision":17,"vrda_d1_directreport":"1","vrda_d1_population":"1","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"L","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"N","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"OF","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"1.7","cvss_basevector":"AV:L/AC:L/Au:S/C:P/I:N/A:N","cvss_temporalscore":"1.4","cvss_environmentalscore":"0.4","cvss_environmentalvector":"CDP:N/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}