Impact
Due to how the COVIDSafe app was handling the caching of tempIDs, it was possible for an attacker to query this cache over an extended period of time, returning the cached tempID rather than a refreshed tempID. This would allow the attacker to re-identify a device from a previous encounter, which can be used for long term tracking of a device beyond the intended lifespan of a tempID.
Patches
This issue was fixed in COVIDSafe v1.0.17 for Android.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-12857
jimmo Analyst
Impact
Due to how the COVIDSafe app was handling the caching of tempIDs, it was possible for an attacker to query this cache over an extended period of time, returning the cached tempID rather than a refreshed tempID. This would allow the attacker to re-identify a device from a previous encounter, which can be used for long term tracking of a device beyond the intended lifespan of a tempID.
Patches
This issue was fixed in COVIDSafe v1.0.17 for Android.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-12857