CVE ID: CVE-2025-61120
Vulnerability type: Incorrect Access Control
Product: AG Life Logger (Android App)
**Package Name: **com.donki.healthy
Version: 1.0.2.72
Vendor: IO FIT, K.K.
<aside> 💡
NOTE: We reported this issue via email on 2025-09-05. After more than 45 days without any response or remediation from the vendor, we are publishing this report on 2025-10-20 out of concern for transparency and user security. We remain open to cooperating with the vendor should they choose to respond in the future.
</aside>
Credentials for accessing the cloud server are exposed in the traffic, which can lead to information disclosure and other consequences.
Multiple tests revealed that in the email verification code provided by the server during login, the middle four digits are fixed as “2020”, and only the first and last two digits vary. An attacker could brute force these digits to log in to any account.