Petlibro Smart Pet Feeder Platform Audio Information Disclosure Vulnerability

An information disclosure vulnerability has been identified in the Petlibro Smart Pet Feeder Platform, affecting versions through 1.7.31. This vulnerability allows unauthorized access to private audio recordings by exploiting sequential audio IDs and insecure assignment endpoints. Attackers can send requests to the device audio endpoint with arbitrary audio IDs to assign recordings to any device, and then retrieve audio URLs to access other users' private recordings.

Impact

Exploitation of this vulnerability allows for unauthorized access to private audio recordings, enabling interception of personal messages recorded for pets.

Reproduction

To reproduce this vulnerability, send a request to the '/device/deviceAudio/use' endpoint with a chosen audio ID. The audio ID can be any sequential ID, as the endpoint does not verify ownership. Once the audio is assigned to a device, fetch the device information to retrieve the audio URL, which will provide access to the private recording.

Remediation

Users are advised to update to the latest version of the Petlibro Smart Pet Feeder Platform, as the vulnerability has been addressed in version 1.7.31.