CVE-2025-2355 - Exposing Secrets in BlackVue App 3.65 for Android — How Local Attackers Can Steal Your Credentials

In early 2025, a new vulnerability, CVE-2025-2355, was uncovered in the BlackVue App 3.65 for Android. This issue exposes sensitive data by improperly storing secret tokens used by the app. While the exploit requires local access to the device, it opens the door for attackers to steal crucial credentials, potentially compromising user accounts and data.

Let's break down what happened, how the exploit works, show you the core code vulnerability, and point to the original resources.

Component: API Endpoint Handler

- Issue: Unprotected storage of BCS_TOKEN / SECRET_KEY
- Impact: Exposure of authentication tokens/secret keys

What Does This Mean?

When you use the BlackVue app, it communicates with BlackVue’s servers to manage your dashcam footage. To stay logged in, it has to store authentication details somewhere on your phone. The vulnerability is that these secrets are saved in plain text (unprotected), so anyone—or anything—with access to your device storage can read them.

SECRET_KEY

Instead of securely storing these (for example, using encrypted SharedPreferences or Android Keystore), the app writes them to a world-readable file in its local storage.

Attack Scenario

Suppose any malicious app or user gets local access (e.g., physical access, malware with storage permissions), they can open up the storage directory and copy these tokens. These secrets let attackers impersonate you, access your cloud recordings, or manipulate your dashcam account.

Below is a simplified sample extracted and generalized based on disclosure information

// File: ApiEndpointHandler.java

public class ApiEndpointHandler {
    public void saveCredentials(String bcsToken, String secretKey) {
        // Vulnerable code: storing tokens in plain text, unprotected file
        FileOutputStream fos = new FileOutputStream(
            new File(context.getFilesDir(), "credentials.txt")
        );
        String data = "BCS_TOKEN=" + bcsToken + "\nSECRET_KEY=" + secretKey;
        fos.write(data.getBytes());
        fos.close();
    }
}

Not using Android’s secure storage methods (like the Keystore system).

## Steps to Reproduce / Exploit

Install a benign-looking app on the same device that asks for storage permissions.

2. Scan the internal storage folder of the BlackVue app (/data/data/com.pittasoft.blackvueapp/files/).

exploit_blackvue_creds.py

file_path = "/data/data/com.pittasoft.blackvueapp/files/credentials.txt"

`

4. Extract BCS_TOKEN and SECRET_KEY from the file contents and use those to authenticate as the user.

Original Disclosure and References

- Exploit Disclosure: exploit-db.com/exploits/52555
- Android Privacy Docs: developer.android.com/training/articles/keystore
- CVE Record: cve.org/CVERecord?id=CVE-2025-2355
- Vendor: www.blackvue.com

> Note: The vendor did not respond to multiple contact attempts before the public disclosure in March 2025.

Protect Yourself

- Update: Check for a newer version of the BlackVue app. If no fixed version is available, be aware of the risk!

Final Thoughts

CVE-2025-2355 is a classic example of why secure storage matters, even for trusted apps. If BlackVue had used Android's secure storage, no one could pull these secrets—even with local access. Until patched, anyone with your phone (or malware inside it) can break into your BlackVue cloud.

If you use BlackVue, update your app regularly and don’t overlook security prompts. Small details can make a big difference.


*This post is an exclusive recapitulation and technical explanation of the public exploit and its risks. Original proof-of-concept and exploit code may be referenced via the links above for responsible research and awareness.*

---

Timeline

Published on: 03/17/2025 01:15:36 UTC