CVE-WeBull-DoesntCare: WeBull, Exposure of Sensitive Information to an Unauthorized Actor

Thu, Feb 25, 2021 One-minute read

Affiliate Dislaimer

Potential Abuse

This vulnerability results in a threat actor potentially having access to PII of an unknowing subject.

A threat actor can leverage this vulnerability to create “watering holes” targeting specific types of users. Once a user completes sign-up their information will potentially be leaked to the attacker. The victim can then be further targeted by more sophisticated spearphshing attacks.

Affected Version(s)

  • Mac - All to Current (v4.7)
  • iOS - All to Current (v6.5.9)
  • Android - All to current (v6.5.9.10)
  • Windows - All to Current (v4.7)
  • Linux - All to Current (v4.2)

Steps to Reproduce

  1. Sign up for a WeBull account
  2. Invite people to signup using your referal link
  3. Users that sign up are now potentially leaking their PII to attacker
  4. View details within WeBull application or web address here -

Screenshot of WeBull application leaking PII

-- Enjoyed the post? Let me know!