Medium
resolved
resolved
Any installed app can force immediate logout and persistent DOS of authenticated Basecamp sessions via unprotected exported StartActivity
Bug reported by Z was disclosed at July 4, 2026, 11:05 am | Improper Access Control - Generic
A vulnerability was discovered in the Basecamp Android app that allowed any installed app to force immediate logout and persistent denial-of-service of authenticated Basecamp sessions. The vulnerability was due to the `com.basecamp.bc4.app.main.start.StartActivity` being declared as exported without any permission guard. This allowed any app to launch it with an explicit intent, terminating the current session and forcing the user back to the login screen. The behavior was confirmed to be reliable, silent, and persistent.

