You must Register or Sign in to your Cyware account to perform this action
×Once you are logged in, you will be able to:
Customize your feeds by selecting categories you like
Comment on or Like an article
Receive the latest security stories, trends, and insights in your inbox
Build your profile and login across multiple devices
Bookmark a story and read it later
- Home
- Hacker News
- Malware and Vulnerabilities
- Hard-coded credentials in MyCar mobile app leave thousands of cars vulnerable to attacks

Hard-coded credentials in MyCar mobile app leave thousands of cars vulnerable to attacks
Hard-coded credentials in MyCar mobile app leave thousands of cars vulnerable to attacks- April 10, 2019
- |
- Malware and Vulnerabilities
/https://cystory-images.s3.amazonaws.com/mycar.jpg)
- The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials.
- Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.
What is the issue - The MyCar controls mobile application for Android and iOS contains hard-coded admin credentials.
Why it matters?
- These credentials can be used by attackers to communicate and send commands to the target user account’s server endpoint.
- Attackers can also retrieve data such as the target’s location from a target MyCar unit as well as gain unauthorized physical access to a target’s vehicle.
The big picture
The MyCar controls is a vehicle telematics mobile app that allows users to pre-warm or pre-cool their car’s cabin, lock or unlock their car doors, arm or disarm their car’s security system, open their car trunk, as well as track their car in a parking lot.
This mobile application contains hard-coded admin credentials whichcan allow attackers to use the hard-coded credentials in place of a user’s username and password to communicate with the target user account.
“The MyCar Controls mobile application contains hard-coded admin credentials (CWE-798) which can be used in place of a user's username and password to communicate with the server endpoint for a target user's account,” Carnegie Mellon University CERT Coordination Center said in a security alert.
This vulnerability impacts all versions prior to 3.4.24 on iOS and prior to 4.1.2 on Android.
Patch available - Automobility Distribution, the company behind the MyCar app has released security updates for both Android and iOS apps to remove the hard-coded admin credentials from the apps.
The bottom line - Users are advised to update to MyCar for iOS version 3.4.24 and MyCar for Android 4.1.2 to fix the vulnerability.
- + Aware
Get such articles in your inbox
News
-
Previous News New info-stealer malware Baldr spotted in the wild
- April 10, 2019
- |
- Malware and Vulnerabilities
-
Next News Genesis cybercrime market sells digital fingerprints of over 60000 people
- April 10, 2019
- |
- Breaches and Incidents
Popular News
Related News
Categories
Get such articles in your inbox
News
-
Previous News New info-stealer malware Baldr spotted in the wild
- April 10, 2019
- |
- Malware and Vulnerabilities
-
Next News Genesis cybercrime market sells digital fingerprints of over 60000 people
- April 10, 2019
- |
- Breaches and Incidents
Popular News
Related News
Categories
