CVE-2025-14317
📋 TL;DR
This vulnerability allows authenticated attackers in the Crazy Bubble Tea mobile app to access other users' personal information by enumerating loyaltyGuestId parameters. The server fails to verify proper authorization before returning sensitive data. All users of vulnerable app versions are affected.
💻 Affected Systems
- Crazy Bubble Tea mobile application
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data breach exposing personal information of all app users, potentially including names, contact details, and loyalty program data.
Likely Case
Targeted data harvesting where attackers systematically enumerate user IDs to collect personal information for identity theft or phishing campaigns.
If Mitigated
Limited data exposure if rate limiting or monitoring detects enumeration attempts early.
🎯 Exploit Status
Requires authenticated access but exploitation is simple parameter manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android: 915, iOS: 7.4.1
Vendor Advisory: https://crazybubble.pl/aplikacja-crazy-bubble/
Restart Required: Yes
Instructions:
1. Open Google Play Store or Apple App Store. 2. Search for 'Crazy Bubble Tea'. 3. Update to latest version (Android 915+ or iOS 7.4.1+). 4. Restart the application.
🔧 Temporary Workarounds
Disable app or restrict access
allUninstall vulnerable app versions or restrict network access to prevent exploitation.
🧯 If You Can't Patch
- Implement server-side authorization checks for all user data requests
- Add rate limiting and monitoring for unusual loyaltyGuestId enumeration patterns
🔍 How to Verify
Check if Vulnerable:
Check app version in settings: Android < 915 or iOS < 7.4.1 indicates vulnerability.Check Version:
Android: Settings → Apps → Crazy Bubble Tea → App info. iOS: Settings → General → iPhone Storage → Crazy Bubble Tea.Verify Fix Applied:
Confirm app version is Android ≥ 915 or iOS ≥ 7.4.1 after update.📡 Detection & Monitoring
Log Indicators:
- Unusual patterns of loyaltyGuestId parameter requests
- Multiple failed authorization attempts for user data
Network Indicators:
- Rapid sequential requests with incrementing loyaltyGuestId values
- Unusual data volume from single authenticated sessions
SIEM Query:
source=app_logs AND (loyaltyGuestId AND (rate>10/min OR pattern=sequential))