CVE-2020-12731

Vulnerability

The MagicMotion Flamingo 2 application for Android stores data on the device's external SD card under the directory com.vt.magicmotion/files/Pictures. This directory is world-readable, meaning any other application installed on the device with the READ_EXTERNAL_STORAGE permission can access its contents. The vulnerability affects all versions of the Flamingo 2 app as described in the vendor's product page [1].

Exploitation

An attacker needs to have a malicious or otherwise untrusted application installed on the same Android device that has been granted the READ_EXTERNAL_STORAGE permission. The attacker's app can then read the contents of com.vt.magicmotion/files/Pictures without any additional authentication or user interaction beyond the initial permission grant. No special network position or race condition is required.

Impact

Successful exploitation leads to unauthorized disclosure of pictures stored by the Flamingo 2 app. Given the nature of the application (a wearable intimate device controller), these pictures are likely to be sensitive personal images. The attacker gains read access to these files but does not achieve code execution, privilege escalation, or modification of data.

Mitigation

As of the publication date (2021-07-15), no official fix or updated version has been released by MagicMotion to address this issue. Users are advised to uninstall the Flamingo 2 app if sensitive data is stored, or to avoid storing such data on the device. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.