Summary
Four high-severity security vulnerabilities discovered during automated deep check on 2026-04-10. These are new findings not covered by existing issues.
1. Deep Link Handler Allows Arbitrary Internal Navigation
File: src/app/app.component.ts lines 97-104
The deep link handler splits incoming URLs on .app and passes the result directly to router.navigateByUrl() without validation. An attacker can craft deep links to navigate users to arbitrary routes with injected query/matrix parameters.
App.addListener('appUrlOpen', (event: URLOpenListenerEvent) => {
this.zone.run(() => {
const slug = event.url.split('.app').pop();
if (slug) this.router.navigateByUrl(slug); // No validation
});
});Impact: Enables forced navigation to unguarded routes with arbitrary parameters. Combined with #3378 (password in route params), creates an attack chain via crafted deep links.
Fix: Validate hostname matches capture-cam-deep-links.web.app, allowlist known routes, strip matrix/query parameters.
2. Missing AuthGuard on Sensitive Routes
File: src/app/app-routing.module.ts lines 52-91
The following routes lack canActivate: [AuthGuard]:
wallets — exposes wallet balances and private keyscontacts — exposes user contact listmedia-viewer/:src — accepts arbitrary user-controlled URL as route paraminvitation, data-policy, terms-of-use
Impact: Combined with Finding 1, an attacker can deep-link directly to wallet/contact pages or the media viewer with arbitrary content.
Fix: Add canActivate: [AuthGuard] to all sensitive routes.
3. Unauthenticated Requests to Bubble DB API
Files:
src/app/shared/actions/service/actions.service.ts lines 13-40src/app/shared/actions/service/order-history.service.ts lines 51-97
All HTTP requests to BUBBLE_DB_URL are sent without authentication headers. The send$(url, body) method at line 38 makes unauthenticated POST requests to arbitrary URLs — an SSRF vector.
Impact: Anyone who discovers the Bubble DB URL can read all actions, order history, and create fraudulent records. send$ enables server-side request forgery.
Fix: Add auth headers to all Bubble API requests. Restrict send$ with URL allowlist.
4. TRUSTED_CLIENT_KEY Embedded in Client-Side Bundle
Files:
set-secret.js line 9src/app/shared/dia-backend/auth/dia-backend-auth.service.ts lines 189, 253, 402
The TRUSTED_CLIENT_KEY is baked into the JavaScript bundle at build time. This key authorizes user registration and Google signup endpoints. Extractable from the APK/IPA on rooted/jailbroken devices.
Impact: Enables automated account creation abuse, signup spam, and potential access to any endpoint that relies on this key.
Fix: Use device attestation (SafetyNet/App Attest) instead of static API key. Implement rate limiting and backend-side verification.
5. Angular Framework XSS Vulnerabilities (npm audit)
npm audit reports 43 HIGH severity vulnerabilities including Angular-specific XSS CVEs:
- Angular Stored XSS via SVG Animation, SVG URL, and MathML Attributes
- Angular XSS via Unsanitized SVG Script Attributes
- Angular i18n XSS in attribute bindings
- Angular XSRF Token Leakage via Protocol-Relative URLs
Current @angular/core version: ^18.2.14. These are patched in newer Angular 18.x releases.
Fix: Update Angular packages to latest 18.x patch. Run ng update @angular/core@18 @angular/cli@18.
Generated by Heart Beat with Omni
Summary
Four high-severity security vulnerabilities discovered during automated deep check on 2026-04-10. These are new findings not covered by existing issues.
1. Deep Link Handler Allows Arbitrary Internal Navigation
File:
src/app/app.component.tslines 97-104The deep link handler splits incoming URLs on
.appand passes the result directly torouter.navigateByUrl()without validation. An attacker can craft deep links to navigate users to arbitrary routes with injected query/matrix parameters.Impact: Enables forced navigation to unguarded routes with arbitrary parameters. Combined with #3378 (password in route params), creates an attack chain via crafted deep links.
Fix: Validate hostname matches
capture-cam-deep-links.web.app, allowlist known routes, strip matrix/query parameters.2. Missing AuthGuard on Sensitive Routes
File:
src/app/app-routing.module.tslines 52-91The following routes lack
canActivate: [AuthGuard]:wallets— exposes wallet balances and private keyscontacts— exposes user contact listmedia-viewer/:src— accepts arbitrary user-controlled URL as route paraminvitation,data-policy,terms-of-useImpact: Combined with Finding 1, an attacker can deep-link directly to wallet/contact pages or the media viewer with arbitrary content.
Fix: Add
canActivate: [AuthGuard]to all sensitive routes.3. Unauthenticated Requests to Bubble DB API
Files:
src/app/shared/actions/service/actions.service.tslines 13-40src/app/shared/actions/service/order-history.service.tslines 51-97All HTTP requests to
BUBBLE_DB_URLare sent without authentication headers. Thesend$(url, body)method at line 38 makes unauthenticated POST requests to arbitrary URLs — an SSRF vector.Impact: Anyone who discovers the Bubble DB URL can read all actions, order history, and create fraudulent records.
send$enables server-side request forgery.Fix: Add auth headers to all Bubble API requests. Restrict
send$with URL allowlist.4. TRUSTED_CLIENT_KEY Embedded in Client-Side Bundle
Files:
set-secret.jsline 9src/app/shared/dia-backend/auth/dia-backend-auth.service.tslines 189, 253, 402The
TRUSTED_CLIENT_KEYis baked into the JavaScript bundle at build time. This key authorizes user registration and Google signup endpoints. Extractable from the APK/IPA on rooted/jailbroken devices.Impact: Enables automated account creation abuse, signup spam, and potential access to any endpoint that relies on this key.
Fix: Use device attestation (SafetyNet/App Attest) instead of static API key. Implement rate limiting and backend-side verification.
5. Angular Framework XSS Vulnerabilities (npm audit)
npm auditreports 43 HIGH severity vulnerabilities including Angular-specific XSS CVEs:Current
@angular/coreversion:^18.2.14. These are patched in newer Angular 18.x releases.Fix: Update Angular packages to latest 18.x patch. Run
ng update @angular/core@18 @angular/cli@18.Generated by Heart Beat with Omni