We noticed that the Android version of the app returned the CORS Access-Control-Allow-Origin header on responses.This header instructs a web browser to redefine the Same Site Origin policy that restricts scripts from reading data from the remote website.Separately, it would be wise for cam models to use a dedicated mobile device that is not used for any other online activities. I hope not; I do not know how many cam models also have other employment.However, the consequence for even one cam model being unmasked in an uncontrolled, unmanaged fashion through this security flaw could be significant.That was an effective workaround the problem, although does not stop a port scan being used to discover the web server.Enumeration and remote control/hijack is therefore still possible.
A related vulnerability allowed remote hijack of the toy over the public internet.
We think this is a less serious issue though The CORS issue was relatively simple to resolve, preventing the remote hijack problem with the Android version of the app.
Hence, updating the app to the latest version resolves the issue.
Any user of the same network (assuming no client segregation) can see these requests and deduce that the user has the app installed.
That means that, for example, other users of the same Wi-Fi network (maybe friends and relatives? Here’s the request: If the user has another employment in addition to cam modelling and uses the same smartphone for email, social networking also, then taking that phone to their work place could cause significant problems.