Petlibro Smart Pet Feeder Platform Authorization Bypass Vulnerability Allowing Unauthorized Device Access

An authorization bypass vulnerability has been identified in the Petlibro Smart Pet Feeder Platform, affecting versions through 1.7.31. This vulnerability allows unauthorized users to add themselves as shared owners on any device by exploiting inadequate permission checks. Attackers can send requests to the device share API, gaining unauthorized access to devices and the ability to view owner information without proper authorization validation.

Impact

Exploitation of this vulnerability allows for unauthorized access to devices, including the ability to view owner information and potentially hijack device functions.

Reproduction

The vulnerability can be reproduced by sending a request to the device share API with missing authorization checks. This can be done by exploiting the authorization bypass in the social login API, which does not properly verify OAuth tokens. Once unauthorized access is gained, shared ownership can be added to any device.

Remediation

Users are advised to update to the latest version of the Petlibro Smart Pet Feeder Platform, where this vulnerability has been addressed.