Traccar Client
Monthly
Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.
Silent configuration hijack in Traccar Client GPS tracking app (versions 9.7.19 and below) allows remote attackers to redirect victim telemetry to attacker-controlled servers via a single crafted org.traccar.client://config deep link. The app accepts deep-link parameters (server URL, device ID, accuracy, distance, interval) and writes them to persistent configuration with no user confirmation, enabling continuous covert location tracking. No public exploit identified at time of analysis, but the upstream commit confirms a confirmation dialog was added in 9.7.20 as the fix.