Tomofun Furbo Mobile App CVE-2025-11645
LOWSeverity by source
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in Tomofun Furbo Mobile App up to 7.57.0a on Android. This affects an unknown part of the component Authentication Token Handler. The manipulation leads to insecure storage of sensitive information. It is possible to launch the attack on the physical device. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Insecure storage of authentication tokens in Tomofun Furbo Mobile App for Android up to version 7.57.0a allows local attackers with physical device access to extract sensitive credential information from the device storage. The vulnerability affects the Authentication Token Handler component and has been publicly disclosed with exploit details available. Despite early vendor contact, no patch or remediation response has been provided by Tomofun.
Technical ContextAI
The vulnerability resides in the Authentication Token Handler component of the Furbo Android application, which fails to implement secure storage mechanisms for sensitive authentication credentials. Rather than using Android's secure storage APIs (such as Android Keystore or EncryptedSharedPreferences), the application stores authentication tokens in plaintext or weakly protected storage locations accessible to local processes. This is a violation of CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), where sensitive data is inadequately protected against unauthorized access. The attack surface is limited to physical or adb-accessible devices, but the consequence is complete exposure of session tokens and authentication material.
Affected ProductsAI
Tomofun Furbo Mobile App for Android, versions up to and including 7.57.0a (CPE data not provided in source material). The vulnerability specifically impacts the Authentication Token Handler component. The affected version range suggests the vulnerability may persist in later releases given the vendor's documented non-response to disclosure.
RemediationAI
Primary remediation requires Tomofun to release a patched version that implements secure storage for authentication tokens using Android Keystore System or EncryptedSharedPreferences. At present, no vendor-released patch has been identified or confirmed. Users should immediately update to any version newer than 7.57.0a if available, though patch status from Tomofun is unconfirmed. As a compensating control pending vendor patching, users should enable device-level security measures: enable device lock screen with strong PIN/biometric, disable USB debugging when not in active use, use a Mobile Device Management (MDM) solution to enforce encryption if deployed in enterprise contexts, and consider revoking Furbo app permissions and re-authenticating through a secure browser session after updating. Device owners should assume that anyone with physical access to an unlocked device can extract stored authentication tokens and should monitor Furbo account activity and linked camera access logs for suspicious access patterns. The GitHub advisory at https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Insecure.md contains technical details of the insecure storage mechanism.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today