CVE-2023-36620
Description
An issue was discovered in the Boomerang Parental Control application before 13.83 for Android. The app is missing the android:allowBackup="false" attribute in the manifest. This allows the user to backup the internal memory of the app to a PC. This gives the user access to the API token that is used to authenticate requests to the API.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Boomerang Parental Control for Android before 13.83 lacks backup restriction, exposing API token to attackers via app backup.
Vulnerability
The Boomerang Parental Control application for Android, versions prior to 13.83, does not set android:allowBackup="false" in the AndroidManifest.xml file [1]. This allows the app's internal storage to be backed up via Android's backup mechanism.
Exploitation
An attacker with physical access to the device or the ability to initiate a backup (e.g., via adb) can create a full backup of the app's data. The backup includes the API token used for authenticating requests to the Boomerang backend [1].
Impact
The attacker obtains the API token, which can be used to impersonate the user or access the Boomerang API, potentially leading to unauthorized access to parental control settings or user data.
Mitigation
The issue is fixed in version 13.83 of the Boomerang Parental Control app. Users should update to the latest version from the official app store [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Boomerang/Boomerang Parental Controldescription
- Range: <13.83
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.