A high-severity vulnerability has been identified in the Senza: Keto & Fasting Android App. This flaw could allow a remote, unauthenticated attacker to bypass security controls and access sensitive user data, including personal health information. Successful exploitation could lead to a significant data breach, compromising the confidentiality of all app users.

The application contains a hardcoded API key within the Android application package (APK). This key is used for authenticating requests to the backend server infrastructure. An attacker can reverse-engineer the mobile application to extract this static key and use it to make direct, unauthorized API calls to the backend, bypassing user-specific authentication mechanisms. This allows the attacker to query and exfiltrate sensitive personal and health data belonging to other users of the service.

This vulnerability is rated as high severity with a CVSS score of 7.5. Exploitation could result in a mass data breach of sensitive user information, including personally identifiable information (PII) and protected health information (PHI). Such an incident would likely lead to severe reputational damage, loss of customer trust, and potential regulatory fines under data protection laws such as GDPR or CCPA. The direct financial impact could be substantial due to incident response costs, legal fees, and potential loss of business.

Immediate Action: Organizations must apply the security updates provided by the vendor immediately across all managed devices. End-users should be instructed to update the application to the latest version via the official Google Play Store. After patching, review backend API access logs for any anomalous activity originating from a single IP address or user agent attempting to access multiple user accounts.

Proactive Monitoring: Monitor backend API logs for unusual patterns, such as a high volume of requests using the compromised API key, enumeration attempts against user IDs, or large data exfiltration payloads. Implement alerts for requests that bypass standard authentication flows. Network monitoring should be configured to detect and flag suspicious traffic patterns directed at the application's backend infrastructure.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) or an API gateway rule to block or rate-limit requests using the compromised hardcoded API key. If possible, the compromised key should be revoked on the backend; however, this may disrupt service for users on the unpatched, vulnerable application version.

Public Exploit Available: false

Given the high-severity rating and the risk of a significant sensitive data breach, this vulnerability requires immediate attention. Although it is not currently listed on the CISA KEV catalog, the potential impact on customer privacy and business reputation is severe. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patch across all endpoints and implement the proactive monitoring controls outlined above to detect any potential compromise.