Petlibro Smart Pet Feeder Platform Authentication Bypass Vulnerability Allowing Account Takeover

An authentication bypass vulnerability has been identified in the Petlibro Smart Pet Feeder Platform, affecting versions through 1.7.31. This vulnerability allows unauthenticated attackers to access any user account by exploiting flaws in OAuth token validation within the social login system. Attackers can send requests to the '/member/auth/thirdLogin' endpoint with arbitrary Google IDs and phoneBrand parameters to obtain full session tokens and access user accounts without proper OAuth verification.

Impact

Exploitation of this vulnerability allows for complete account takeover, including access to private audio recordings, device hijacking, and unauthorized access to pet data.

Reproduction

To reproduce this vulnerability, send a request to the '/member/auth/thirdLogin' endpoint with a Google ID and phoneBrand parameter. The response will include a session token, member ID, email, and access to the user's account. Once authenticated, any pet data, device information, and private audio recordings can be accessed.

Remediation

Petlibro has introduced a new endpoint that properly verifies OAuth tokens, but the old vulnerable endpoint is still active for legacy compatibility. Users are advised to monitor for updates and upgrade when the vulnerability is no longer present.