CVE-WeBull-DoesntCare: WeBull, Exposure of Sensitive Information to an Unauthorized Actor
This vulnerability results in a threat actor potentially having access to PII of an unknowing subject.
A threat actor can leverage this vulnerability to create “watering holes” targeting specific types of users. Once a user completes sign-up their information will potentially be leaked to the attacker. The victim can then be further targeted by more sophisticated spearphshing attacks.
- Mac - All to Current (v4.7)
- iOS - All to Current (v6.5.9)
- Android - All to current (v18.104.22.168)
- Windows - All to Current (v4.7)
- Linux - All to Current (v4.2)
Steps to Reproduce
- Sign up for a WeBull account
- Invite people to signup using your referal link
- Users that sign up are now potentially leaking their PII to attacker
- View details within WeBull application or web address here - https://act.webull.com/invitation/us/my.html
-- Enjoyed the post? Let me know!