CVE-2018-18976
Description
An issue was discovered in the Ascensia Contour NEXT ONE application for iOS and Android before 2019-01-15. An attacker may retrieve encrypted medical information of any user of the Ascensia cloud platform by performing Direct Object References with a series of user ID values. (This information can be decrypted through a different vulnerability.)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ascensia Contour NEXT ONE app before 2019-01-15 exposes encrypted medical data of any user via insecure direct object references (IDOR) in the cloud API.
Vulnerability
The Ascensia Contour NEXT ONE mobile application for iOS and Android (versions prior to 2019-01-15) communicates with an Ascensia cloud platform that fails to enforce proper authorization checks. The backend API allows retrieval of encrypted medical information for any user by simply iterating through user ID values in the request, a classic insecure direct object reference (IDOR) flaw. The vulnerability is present in the cloud service side and does not require any special configuration to be reachable [1].
Exploitation
An attacker needs only network access to the Ascensia cloud API endpoints, with no authentication or prior user interaction. By sending a series of direct object references with different user ID values, the attacker can retrieve encrypted medical records of any platform user. The attacker does not need to be within Bluetooth range of a glucometer or have any physical access [1]. The official description confirms that this information can be decrypted through a different vulnerability, but the IDOR alone enables bulk data extraction.
Impact
Successful exploitation allows an attacker to retrieve encrypted medical data of any user of the Ascensia cloud platform, including sensitive health information such as glucometer readings. Combined with the separate decryption vulnerability, an attacker could fully compromise patient confidentiality (information disclosure). The report further notes that modification of user data was theoretically possible, which could lead to harm if medical staff rely on tampered records for treatment decisions [1].
Mitigation
The vendor released a fix on or before 2019-01-15, but the specific patched version number is not disclosed in the available references. Users should ensure the mobile application is updated to the latest version available from official app stores. No workaround is described; upgrading is the only recommended course of action [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Ascensia/Contour NEXT ONE applicationdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The API endpoint trusts the user-supplied numeric "userID" parameter without verifying that the requesting user is authorized to access that user's data, enabling Insecure Direct Object Reference (IDOR)."
Attack vector
An attacker who has already bypassed the application's certificate pinning (CVE-2018-18975) can proxy and modify API requests. The application makes a request containing a numeric "userID" parameter; changing this user ID number returns a different encrypted blob of data belonging to another user [ref_id=1]. By iterating through user ID values, an attacker can enumerate encrypted medical information for any user on the Ascensia cloud platform. The attacker does not need authentication beyond what the mobile application provides, and the IDOR is triggered simply by altering the numeric userID parameter in the request.
Affected code
The advisory does not identify specific source files or functions. The vulnerability exists in the Ascensia Contour NEXT ONE mobile application's backend API endpoint that accepts a numeric "userID" parameter and returns encrypted user data. The researcher observed this request/response pair while proxying traffic through Burp Suite [ref_id=1].
What the fix does
The advisory does not include a patch or remediation details. The researcher's write-up does not describe any fix applied by the vendor. To close this vulnerability, the application should enforce authorization checks so that the authenticated user can only access their own userID, rather than trusting the userID parameter supplied by the client [ref_id=1].
Preconditions
- networkAttacker must be able to proxy and modify network traffic between the mobile application and the backend (requires bypassing certificate pinning, CVE-2018-18975)
- authAttacker must have a valid account on the Ascensia cloud platform to obtain a legitimate userID and observe the API request format
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- depthsecurity.com/blog/medical-exploitation-you-are-now-diabeticmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.