Alta Video — 1656: Insecure terms of service HTTP URLs could lead to man-in-the-middle-attack

Release Date

10th February 2025.

Overview

A vulnerability was discovered in the handling of terms of service URLs within the Alta Video Android and iOS mobile applications. Specifically, the applications contained insecure HTTP links, which could have exposed the URLs to potential interception and manipulation through a man-in-the-middle attack.

Affected Products

• Alta Video:
• Android app versions before 3.9.0
• iOS app versions before 3.9.0

Unaffected Products

• Alta Video:
• All Android app versions after and including 3.9.0.
• All iOS app versions after and including 3.9.0.
• All Web client versions
• Avigilon Cloud-Native Cameras: all versions.
• Alta Video Cloud: all versions.

Resolution

This issue has been fixed in version 3.9.0 of the Aware Android & iOS apps.

It is *strongly recommended* that all users running an affected version of the app upgrade to the latest release as soon as possible. Releases are available to download through the Google Play Store or the App Store.

Vulnerability Information

• CVSSv3 score: 5.6 (Medium)
• CVSSv3 vector: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

Mitigations

There are no known mitigations for this issue.

Work arounds

There are no known work arounds for this issue.

Acknowledgements

Issue found internally by Alta Video.

Disclosure Timeline

• 04/10/2024 Issue found
• 07/10/2024 Root cause established
• 07/10/2024 Fix identified
• 10/12/2024 Patched versions of the Android & iOS apps released
• 10/02/2025 Vulnerability publicly disclosed