CVE-2021-20748 – This vulnerability involves hard-coded API keys... (How to Fix)

Q: What is the severity of CVE-2021-20748?

CVE-2021-20748 has a CVSS score of 7.5 (HIGH). This vulnerability involves hard-coded API keys in the Retty mobile app, allowing attackers to extract credentials for external services by analyzing the app's data. It affects Retty Android versions before 4.8.13 and iOS versions before 4.11.14. Users of vulnerable versions are at risk of unauthorized access to integrated third-party services.

📋 TL;DR

This vulnerability involves hard-coded API keys in the Retty mobile app, allowing attackers to extract credentials for external services by analyzing the app's data. It affects Retty Android versions before 4.8.13 and iOS versions before 4.11.14. Users of vulnerable versions are at risk of unauthorized access to integrated third-party services.

💻 Affected Systems

Products:

Retty App for Android
Retty App for iOS

Versions: Android: prior to 4.8.13, iOS: prior to 4.11.14

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of affected versions are vulnerable due to hard-coded credentials.

📦 What is this software?

Retty by Retty

View all CVEs affecting Retty →

Retty by Retty

View all CVEs affecting Retty →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full access to integrated external services, potentially leading to data breaches, financial fraud, or service disruption.

🟠

Likely Case

Unauthorized API usage leading to service abuse, data scraping, or unexpected charges to the service provider.

🟢

If Mitigated

Limited impact with proper API key rotation and monitoring, though initial exposure remains a concern.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires static analysis of the app binary or network traffic inspection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android: 4.8.13, iOS: 4.11.14

Vendor Advisory: https://jvn.jp/en/jp/JVN26891339/index.html

Restart Required: Yes

Instructions:

1. Update Retty app via Google Play Store (Android) or App Store (iOS). 2. Ensure version is at least 4.8.13 (Android) or 4.11.14 (iOS). 3. Restart the app after update.

🔧 Temporary Workarounds

Disable App or Limit Permissions

all

Temporarily uninstall or restrict app permissions to reduce exposure until patched.

🧯 If You Can't Patch

Rotate all exposed API keys with the external service provider immediately.
Monitor API usage for suspicious activity and implement rate limiting if possible.

🔍 How to Verify

Check if Vulnerable:

Check app version in settings: Android: Settings > Apps > Retty > App info; iOS: Settings > General > iPhone Storage > Retty.

Check Version:

N/A for mobile apps; use device settings as above.

Verify Fix Applied:

Confirm app version is Android ≥4.8.13 or iOS ≥4.11.14 after update.

📡 Detection & Monitoring

Log Indicators:

Unusual API call patterns or errors from external services linked to Retty.

Network Indicators:

Traffic to external services using hard-coded keys from Retty app instances.

SIEM Query:

N/A for client-side mobile app vulnerability.

📊 Metadata

CVE ID: CVE-2021-20748

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-798

Published: July 14, 2021

Last Updated: November 21, 2024

🔗 References

https://drive.google.com/file/d/1PBYqIsK8QxEEhGJ4SEgpY7iZw3RTTDho/view Third Party Advisory
https://jvn.jp/en/jp/JVN26891339/index.html Third Party Advisory
https://drive.google.com/file/d/1PBYqIsK8QxEEhGJ4SEgpY7iZw3RTTDho/view Third Party Advisory
https://jvn.jp/en/jp/JVN26891339/index.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20748, you might also want to check these: