CVE-2020-8507

Vulnerability

The Citytv Video application versions 4.08.0 for Android and 3.35 for iOS transmit analytics data without encryption [1]. This means that any analytics information collected by the app is sent over the network in plaintext, making it readable by anyone who can observe the network traffic.

Exploitation

An attacker with network access (e.g., on the same Wi-Fi network or a compromised router) can passively intercept the unencrypted analytics traffic. No authentication or user interaction beyond normal app usage is required. The attacker simply needs to capture the network packets containing the analytics data.

Impact

Successful interception reveals analytics data, which may include user behavior patterns, device identifiers, session information, and other telemetry. This constitutes an information disclosure that could be used for profiling or further attacks. The scope is limited to the analytics data transmitted; no direct code execution or privilege escalation is indicated.

Mitigation

No official fix or workaround is disclosed in the available reference [1]. Users are advised to monitor for updates from the vendor or consider using a VPN to encrypt all traffic until a patched version is released.