Petlibro Smart Pet Feeder Platform Broken Access Control Vulnerability

A broken access control vulnerability has been identified in the Petlibro Smart Pet Feeder Platform, affecting versions through 1.7.31. This vulnerability allows authenticated users to access other users' pet data by exploiting a lack of ownership verification. Attackers can send requests to the pet detail endpoint with arbitrary pet IDs to retrieve sensitive information such as pet details, member IDs, and avatar URLs, all without proper authorization checks.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive pet data, including health information and private audio recordings. Additionally, it allows for device hijacking, where an attacker could manipulate feeding schedules, access camera feeds, and modify device settings. This vulnerability also facilitated an authentication bypass, allowing attackers to log into any account using Google login.

Reproduction

To reproduce this vulnerability, authenticate a user account using the vulnerable social login API endpoint that accepts arbitrary Google IDs. Once authenticated, access the pet detail endpoint with any pet ID to retrieve sensitive information about that pet, including details, member ID, and avatar URL. This vulnerability can be further exploited by accessing bound devices through the pet ID, hijacking those devices, and accessing private audio recordings by assigning them to any device.

Remediation

Users are advised to update to the latest version of the Petlibro Smart Pet Feeder Platform, where this vulnerability has been addressed.