Consumer Rights Wiki

BlackVue firmware security vulnerabilities: Difference between revisions

VisualWikitext
new incident page for 7 firmware cves across dr750 and dr590x. two critical (9.8), dr750 unpatched since 2022. all sourced from nvd and github pocs.
 
fixed server logs -> referral urls per source, moved nvd ref to correct claim
 
Line 56: Line 56:
=== Hardcoded secrets in mobile app (CVE-2025-2355) ===
=== Hardcoded secrets in mobile app (CVE-2025-2355) ===


The BlackVue v3.65 APK contains hardcoded BCS_TOKEN & SECRET_KEY values in plaintext.<ref name="geochen" /> These client secrets are transmitted via GET parameters, which means they appear in browser history, server logs, & corporate proxy logs.<ref name="geochen" /> Anyone with access to these logs can extract the tokens.<ref name="nvd-2355">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2025-2355 |title=CVE-2025-2355 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref>
The BlackVue v3.65 APK contains hardcoded BCS_TOKEN & SECRET_KEY values in plaintext.<ref name="nvd-2355">{{Cite web |url=https://nvd.nist.gov/vuln/detail/CVE-2025-2355 |title=CVE-2025-2355 Detail |website=National Vulnerability Database |access-date=2026-03-28}}</ref> These client secrets are transmitted via GET parameters, which means they appear in browser history, referral URLs, & proxy logs.<ref name="geochen" />


=== Unauthorized API calls (CVE-2025-2356) ===
=== Unauthorized API calls (CVE-2025-2356) ===
Retrieved from "https://consumerrights.wiki/w/BlackVue_firmware_security_vulnerabilities"