SQL injection in the API for SeTracker Smartwatches of shenzhen sanjitongchuang electronic co. LTD allowed an attacker to execute arbitrary SQL commands
Smart Watches
NTCF:
NTCF-2024-23124
Product:
SeTracker
Vendor:
shenzhen sanjitongchuang electronic co. LTD
Criticality:
high
Status:
fixed
Discovered:
2024-04-19
Detail:
Public
Description
A SQL injection vulnerability discovered in the API for SeTracker of Shenzhen Sanjitongchuang Electronic Co. LTD, the manufacturer of the SeTracker Mobile App and API, which is used by children's smartwatches and other tracking devices from various manufacturers. The discovered backdoor provided the ability to execute arbitrary SQL commands. Since the vendor has not responded, it remains unclear whether customer data was exfiltrated.
In the past, other severe vulnerabilities affecting this manufacturer have been reported, for example by the Norwegian Consumer Council:
https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children/
In accordance with NTC Vulnerability Disclosure Policy, no technical details about this vulnerability will be publicly disclosed. Further details may be provided on a case by case basis.
Please use the contact form and provide an explanation for your request.
Timeline
2024-04-19: initial discovery
2024-04-23: first contact to vendor
2024-06-03: private disclosure to vendor
2024-06-03: no feedback from vendor: disclosure by email
2024-09-17: API endpoint is no longer reachable (silent fix). No answer from vendor still. It is unclear whether customer data was exfiltrated..
2024-09-18: public disclosure