Petlibro Smart Pet Feeder Platform Information Disclosure Vulnerability via Insecure API Endpoints
Vulnerability
An information disclosure vulnerability has been identified in the Petlibro Smart Pet Feeder Platform, affecting versions through 1.7.31. This vulnerability allows unauthorized access to device hardware information by exploiting insecure API endpoints. Attackers can retrieve device serial numbers and MAC addresses through the 'getBoundDevices' endpoint, using pet IDs. This exploitation enables full control over the device without proper authorization checks.
Impact
Exploitation of this vulnerability allows for unauthorized access to sensitive device information, including serial numbers and MAC addresses, which can be used to gain full control over the pet feeder device.
Reproduction
To reproduce this vulnerability, access the '/device/devicePetRelation/getBoundDevices' API endpoint. This can be done by sending a request that includes a pet ID. The response will include the device's serial number and MAC address. With the serial number, it is possible to gain full control over the device, including changing feeding schedules, accessing camera feeds, and modifying device settings.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.