Vulnerability with VLC for iOS Allows Attackers to Steal Data from Storage

A vulnerability with VLC for iOS allows local attackers to steal the data from the storage by just having the source URL/IP.

The vulnerability was discovered by the security researcher Dhiraj and the flaw resides in the functionality of the application for iOS.

Vulnerability with VLC for iOS

According to the researcher, the “VLC for iOS was vulnerable to an unauthenticated insecure direct object reference“, an attacker can exploit this vulnerability by just changing the “id”, “pid”, “uid” in the URL.

So the website or the application saves the request and it goes to the database and fetches different records than the permitted for the user.

Here the vulnerability resides in the functionality that allows users to share files with others over WiFi.

If two users sharing the video over Wi-Fi using vlc-iOS and the third user by just having the source IP can trigger a successfully unauthenticated IDOR.

It is a free VLC media player to iPad, iPhone, and iPod touch. It is a free open source cross-platform multimedia player and framework that plays most multimedia files.

The bug has been reported to VLC and it was fixed with version Version 3.2.7, which was released on March 25th.

Along with this, they fixed other bugs, here you can get the complete details.