Tomofun Furbo 360 and Furbo Mini Insecure Storage of Sensitive Information Vulnerability

A vulnerability exists in the Tomofun Furbo 360 and Furbo Mini models, specifically in certain firmware versions. The issue arises from an unknown function in the file collect_logs.sh, part of the Debug Log S3 Bucket Handler component. This vulnerability leads to the insecure storage of sensitive information, requiring local access for exploitation. Affected firmware versions include Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074.

Impact

Exploitation of this vulnerability allows for the unauthorized upload of arbitrary data to the Furbo Device Debug Log S3 bucket. This could disrupt the data integrity for Furbo or potentially compromise their systems or services if uploaded malware is executed. Furthermore, due to the sequential issuance of device IDs, there is a risk of uploading files associated with other users' devices.

Reproduction

To reproduce this vulnerability, access the Furbo device or extract the Furbo service file. If directly on the device, navigate to the temporary application bin directory and read the collect_logs.sh file. The x-amz-grant-full-control header, which is stored in this file, can then be used to upload files to the S3 bucket as if originating from a Furbo device.