Skip to main content

Ypsomed mylife Vulnerabilities

Vulnerabilities insufficiently protect credentials or could allow MitM attacks
Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Four vulnerabilities in Ypsomed's mylife diabetes management software have been found. Exploitation of these vulnerabilities could expose credentials or allow an opportunity for a Man-in-the-Middle attack.


Affected platforms

The following platforms are known to be affected:

Ypsomed mylife Cloud Versions: all prior to 1.7.2

Ypsomed mylife App Versions: all prior to 1.7.5


Threat details

Introduction

Security researchers have discovered four vulnerabilities Ypsomed's mylife diabetes management platform. If successfully exploited, a remote attacker could obtain sensitive application information or modify data-in-transit. 

The first two vulnerabilities have to do with insufficiently protected credentials by disclosing password hashes during the registration process or by reflecting the user's password during the login process when redirecting from an HTTPS to an HTTP endpoint. The third and fourth vulnerabilities could allow a Man-in-the-Middle (MitM) attack; the third is centred around a known issue with initialisation vectors used in Cipher Block Chaining and the fourth is based on hard-coded secrets.


Remediation advice

Ypsomed have updated their affected mylife Cloud backend services to mitigate the mylife Cloud in versions prior to 1.7.2.  

Affected organisations should contact their relevant suppliers and ensure all mylife app users have updated to version 1.7.5 or later.



Last edited: 16 July 2021 1:33 pm