Thursday, February 6, 2025
HomeCVE/vulnerabilityVulnerability with VLC for iOS Allows Attackers to Steal Data from Storage

Vulnerability with VLC for iOS Allows Attackers to Steal Data from Storage

Published on

SIEM as a Service

Follow Us on Google News

A vulnerability with VLC for iOS allows local attackers to steal the data from the storage by just having the source URL/IP.

The vulnerability was discovered by the security researcher Dhiraj and the flaw resides in the functionality of the application for iOS.

Vulnerability with VLC for iOS

According to the researcher, the “VLC for iOS was vulnerable to an unauthenticated insecure direct object reference“, an attacker can exploit this vulnerability by just changing the “id”, “pid”, “uid” in the URL.

So the website or the application saves the request and it goes to the database and fetches different records than the permitted for the user.

Here the vulnerability resides in the functionality that allows users to share files with others over WiFi.

If two users sharing the video over Wi-Fi using vlc-iOS and the third user by just having the source IP can trigger a successfully unauthenticated IDOR.

It is a free VLC media player to iPad, iPhone, and iPod touch. It is a free open source cross-platform multimedia player and framework that plays most multimedia files.

The bug has been reported to VLC and it was fixed with version Version 3.2.7, which was released on March 25th.

Along with this, they fixed other bugs, here you can get the complete details.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Paragon Spyware Allegedly Ends Spyware Contract with Italy

Paragon Solutions, an Israeli cybersecurity firm, has reportedly ended its spyware contract with Italy.The...

Authorities Arrested Hacker Who Compromised 40+ Organizations

Spanish authorities have arrested a hacker believed to be responsible for cyberattacks targeting over...

OpenAI Data Breach – Threat Actor Allegedly Claims 20 Million Logins for Sale

OpenAI may have become the latest high-profile target of a significant data breach.A...

Lumma Stealer Attacking Windows Users In India With Fake Captcha Pages

Cybersecurity experts are raising alarms over a new wave of attacks targeting Windows users...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

F5 BIG-IP SNMP Flaw Allows Attackers to Launch DoS Attacks

A recently disclosed vulnerability in F5's BIG-IP systems has raised alarm within the cybersecurity...

Cisco IOS SNMP Vulnerabilities Allow Attackers to Launch DoS Attacks”

Cisco has disclosed multiple vulnerabilities in its Simple Network Management Protocol (SNMP) subsystem affecting...

MobSF Framework Zero-Day Vulnerability Allows Attackers to Trigger DoS in Scan Results

A recently discovered zero-day vulnerability in the Mobile Security Framework (MobSF) has raised alarms...