Ypsomed mylife Vulnerabilities
Four vulnerabilities in Ypsomed's mylife diabetes management software have been found. Exploitation of these vulnerabilities could expose credentials or allow an opportunity for a Man-in-the-Middle attack.
Summary
Four vulnerabilities in Ypsomed's mylife diabetes management software have been found. Exploitation of these vulnerabilities could expose credentials or allow an opportunity for a Man-in-the-Middle attack.
Affected platforms
The following platforms are known to be affected:
Ypsomed mylife Cloud Versions: all prior to 1.7.2
Ypsomed mylife App Versions: all prior to 1.7.5
Threat details
Introduction
Security researchers have discovered four vulnerabilities Ypsomed's mylife diabetes management platform. If successfully exploited, a remote attacker could obtain sensitive application information or modify data-in-transit.
The first two vulnerabilities have to do with insufficiently protected credentials by disclosing password hashes during the registration process or by reflecting the user's password during the login process when redirecting from an HTTPS to an HTTP endpoint. The third and fourth vulnerabilities could allow a Man-in-the-Middle (MitM) attack; the third is centred around a known issue with initialisation vectors used in Cipher Block Chaining and the fourth is based on hard-coded secrets.
Remediation advice
Ypsomed have updated their affected mylife Cloud backend services to mitigate the mylife Cloud in versions prior to 1.7.2.
Affected organisations should contact their relevant suppliers and ensure all mylife app users have updated to version 1.7.5 or later.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 16 July 2021 2:33 pm