Android app “bit web server” remotely vulnerable

Steve Austin: Android app “bit web server” from ice cold apps suffers from an insecure default configuration which allows for at least injection of php web shell. Devices that are rooted will allow for said shell to be uid 0, or root. The issue was reported to the developer yesterday immediately post discovery. It is possible the app binds to public internet addresses as the results of a #shodan search produced multiple vulnerable targets in the wild. It is recommended to remove the application until the issue is addressed. Or to address the insecure configuration issue directly. The rest of the technical details will be disclosed at a later time.I will also fork out a version of #phpmyass that demonstrates the issue for poc if time permits. Just real.busy lately