CVE ID: CVE-2025-61114
Vulnerability type: Incorrect Access Control
Product: 2nd Line (Android App)
**Package Name: **com.mysecondline.app
Version: 1.2.92
Vendor: AutoBizLine, Inc.
<aside> 💡
NOTE: We reported this issue via email on 2025-09-05 and received confirmation. Now the issue has been fixed and cannot be reproduced in public environments.
</aside>
The app’s internal services use user_number (i.e., email) and user_token for authentication.
However, the server only verifies the first character of the user_token. As a result, even if all subsequent characters after the first one are removed, the request can still be executed successfully.
An attacker could therefore brute force the first character of the user_token for any known email account, enabling unauthorized queries.
This attack was successfully demonstrated by testing on another account I registered myself. For example, using the POST /secondline/user/get_user endpoint:
