Security News > 2020 > December > Your ship comms app is 'secured' with a Flash interface, doesn't sanitise SQL inputs and leaks user data, you say?

Your ship comms app is 'secured' with a Flash interface, doesn't sanitise SQL inputs and leaks user data, you say?
2020-12-16 09:30

A software suite intended to let merchant ships' crews digitally communicate with the world ashore was riddled with security vulnerabilities including undocumented admin accounts with hardcoded passwords and widespread use of Adobe Flash.

Infosec consultancy Pen Test Partners said it took all of 90 minutes to discover enough problems with Dualog Connection Suite to submit six CVE number requests.

Findings included an undocumented admin account with a hardcoded password - a password that Pen Test Partners cracked in 10 minutes.

The user interface was "Secured" with an Adobe Flash app with a unique 2FA interface.

A closer look at queries made to Dualog Connection Suite's backend revealed SQL traffic passing to and forth; PTP discovered that tweaking some queries returned "All the details about all of the users across all ships operated by the company, not just the ship we were on."


News URL

https://go.theregister.com/feed/www.theregister.com/2020/12/16/dualog_communications_suite_cves/