Acknowledged
CIQQA-3366

Privacy Vulnerability: with the ERA tool you can view another developer's Beta/Unpublished App names

By utilizing another developer's developer guid which can be found in the URL of their public facing connect iq app page, you can plug that into the ERA reporting tool to view the names of all of that developer's apps. This includes the Beta and unapproved apps.
While the error reports are still locked behind the developer key, the names are public. Beta app names are not normally public and are not advertised to developers as being public.
This could be used to see what apps are being worked on before they are ready to be announced or released.

BowersPowers
Parents

  • Just wanted to note that this is still exploitable and hasn't been resolved yet. My guess is that Garmin has stopped working on this after the "fix" in SDK 8.2.2. Which to be fair this is a pretty minor issue so they could just have not prioritized it and that helps reduce the chance people stumble upon it, even though it isn't a complete fix.

Comment

  • Just wanted to note that this is still exploitable and hasn't been resolved yet. My guess is that Garmin has stopped working on this after the "fix" in SDK 8.2.2. Which to be fair this is a pretty minor issue so they could just have not prioritized it and that helps reduce the chance people stumble upon it, even though it isn't a complete fix.

Children
No Data
Copyright © 1996-2025 Garmin Ltd. or its subsidiaries