Traccar Client: silent configuration hijack via unverified deep link redirects all GPS telemetry
Description
Traccar Client v9.7.19 and below allows silent hijacking of GPS tracking configuration via a crafted deep link, enabling attacker-controlled telemetry redirection without user confirmation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Traccar Client v9.7.19 and below allows silent hijacking of GPS tracking configuration via a crafted deep link, enabling attacker-controlled telemetry redirection without user confirmation.
Vulnerability
In Traccar Client versions 9.7.19 and below, the app registers a custom deep link scheme org.traccar.client://config that silently writes attacker-supplied parameters (server URL, device ID, accuracy, distance, and interval) into the app's persistent configuration without any confirmation, notification, or visual indication. The vulnerable code path is reachable simply by the victim tapping a crafted link; no special permissions or user interaction beyond a single tap are required. The fix is introduced in version 9.7.20, which adds a confirmation dialog before applying configuration changes from deep links [1][2].
Exploitation
An attacker can craft a deep link containing malicious parameters (e.g., an attacker-controlled server URL, a new device ID, maximum accuracy, zero distance, and a short interval) and deliver it via SMS, email, a webpage, or any installed app that can open a URL. When the victim taps the link, the org.traccar.client://config scheme is triggered, and the app silently applies the new configuration with no user prompt. The attack does not require any special permissions; it can be launched from any context that can send an intent to view the URL [1].
Impact
A successful attack silently redirects all GPS telemetry from the victim's device to an attacker-controlled server at maximum precision (high accuracy) and frequency (10 seconds interval, zero distance threshold). The attacker gains continuous, real-time tracking of the victim's location. The configuration change persists across app restarts, giving the attacker ongoing surveillance until the victim manually resets the settings. This results in a complete compromise of location privacy and enables real-time stalking or physical surveillance [1].
Mitigation
The vulnerability has been fixed in Traccar Client version 9.7.20, released on or before 2026-06-16 according to the advisory. The fix adds a confirmation dialog that asks the user to accept or reject the new configuration before applying it from a deep link [1][2]. Users should upgrade to version 9.7.20 or later immediately. No workaround is available for versions 9.7.19 and below; disabling deep link handling is not possible without patching the app [1].
AI Insight generated on Jun 17, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
123558b0ae390Add configuration confirmation
2 files changed · +30 −5
lib/l10n/app_en.arb+2 −1 modified@@ -33,5 +33,6 @@ "startAction": "Start service", "stopAction": "Stop service", "sosAction": "Send SOS", - "disclosureMessage": "This app collects location and activity data in the background and sends it to the configured server." + "disclosureMessage": "This app collects location and activity data in the background and sends it to the configured server.", + "configurationMessage": "Apply new configuration?" }
lib/main.dart+28 −4 modified@@ -17,6 +17,7 @@ import 'preferences.dart'; import 'configuration_service.dart'; final messengerKey = GlobalKey<ScaffoldMessengerState>(); +final navigatorKey = GlobalKey<NavigatorState>(); void main() async { WidgetsFlutterBinding.ensureInitialized(); @@ -42,8 +43,8 @@ class _MainAppState extends State<MainApp> { @override void initState() { super.initState(); - _initLinks(); WidgetsBinding.instance.addPostFrameCallback((_) async { + await _initLinks(); await rateMyApp.init(); if (mounted && rateMyApp.shouldOpenDialog) { try { @@ -59,17 +60,40 @@ class _MainAppState extends State<MainApp> { final appLinks = AppLinks(); final uri = await appLinks.getInitialLink(); if (uri != null) { - await ConfigurationService.applyUri(uri); + await _handleUri(uri); } - appLinks.uriLinkStream.listen((uri) async { + appLinks.uriLinkStream.listen(_handleUri); + } + + Future<void> _handleUri(Uri uri) async { + final context = navigatorKey.currentContext; + if (context == null) return; + final confirmed = await showDialog<bool>( + context: context, + builder: (context) => AlertDialog( + content: Text(AppLocalizations.of(context)!.configurationMessage), + actions: [ + TextButton( + onPressed: () => Navigator.pop(context, false), + child: Text(AppLocalizations.of(context)!.cancelButton), + ), + TextButton( + onPressed: () => Navigator.pop(context, true), + child: Text(AppLocalizations.of(context)!.okButton), + ), + ], + ), + ); + if (confirmed == true) { await ConfigurationService.applyUri(uri); - }); + } } @override Widget build(BuildContext context) { return MaterialApp( scaffoldMessengerKey: messengerKey, + navigatorKey: navigatorKey, localizationsDelegates: AppLocalizations.localizationsDelegates, supportedLocales: AppLocalizations.supportedLocales, theme: ThemeData(
Vulnerability mechanics
Root cause
"Missing user confirmation before applying configuration parameters received via a custom deep-link scheme allows silent reconfiguration of GPS tracking settings."
Attack vector
An attacker crafts a deep link using the `org.traccar.client://config` scheme with attacker-supplied parameters (server URL, device ID, accuracy, distance, interval). The link can be delivered via SMS, email, a webpage, or any installed app. When the victim taps the link, the app silently writes the parameters into persistent configuration with no confirmation, notification, or visual indication [ref_id=1]. This redirects all GPS telemetry to the attacker's server at maximum precision and frequency, and the change persists across restarts.
Affected code
The vulnerability resides in `lib/main.dart` where the `_initLinks` method previously called `ConfigurationService.applyUri(uri)` directly without any user confirmation. The app registers the custom `org.traccar.client://config` deep-link scheme, and the initial link handler and the `uriLinkStream` listener both invoked `applyUri` immediately upon receiving a URI. The patch adds a confirmation dialog via `_handleUri` before applying the configuration.
What the fix does
The patch introduces a `_handleUri` method that first shows an `AlertDialog` with the message "Apply new configuration?" and Cancel/OK buttons. Only if the user taps OK does it call `ConfigurationService.applyUri(uri)`. A `navigatorKey` is added to the `MaterialApp` so the dialog can be shown from the async handler. This ensures the victim must explicitly consent before any configuration change takes effect, closing the silent hijack vector.
Preconditions
- configVictim must have the Traccar Client app installed with version 9.7.19 or below
- inputAttacker must deliver a crafted deep link using the org.traccar.client:// scheme
- inputVictim must tap/click the malicious deep link
Generated on Jun 17, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/traccar/traccar-client/commit/23558b0ae390f8480b2233da07410b5aeaafba09mitrex_refsource_MISC
- github.com/traccar/traccar-client/security/advisories/GHSA-vm6j-6g39-gj97mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.