Butterfly Button Project - Sensitive Information Disclosure

Vulnerability

The BUTTERFLY BUTTON SDK, designed to provide anonymous domestic-violence assistance via a website or app button, contains an architecture flaw that exposes sensitive information to the hosting application. The SDK fails to isolate user interactions (click events, session data, or the fact that help was sought) from the app’s own code, breaking the claimed plausible deniability. The affected SDK is the version analyzed as of 2023-08-21; no specific version number was disclosed [1][2][4].

Exploitation

An attacker who controls or has administrative access to the hosting website or application (or who can inject malicious code into the page) can monitor the SDK’s internal events or storage. No special network position is required if the attacker already has code execution in the app context. The exploitation requires only that the attacker’s code is present alongside the SDK’s code [3][4].

Impact

A successful attack reveals that a user has used the BUTTERFLY BUTTON, destroying the promised confidentiality and plausible deniability. In a domestic-violence context, this loss of anonymity could put the user at immediate physical risk. The impact is a direct information disclosure of a victim’s help-seeking behavior [2][3].

Mitigation

No fixed version has been announced as of 2023-08-21. Developers integrating the SDK are advised to review the SDK’s architecture and, if possible, sandbox the SDK in an iframe or separate process to prevent data leakage to the host application. The vendor’s GitHub repository and website did not provide a security update [1][4].