Tuya SDK Cross-Site Request Forgery Vulnerability in OAuth Implementation

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in the OAuth implementation of the Tuya SDK version 6.5.0 for Android and iOS. This vulnerability affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the SDK. The issue arises because the applications do not properly validate the OAuth state parameter during the account linking process. As a result, an attacker can exploit this flaw by tricking a victim into clicking a crafted authorization link, which would then link the attacker's Amazon Alexa account to the victim's Tuya account. This exploitation allows unauthorized access to the victim's Tuya-connected devices, such as cameras, doorbells, door locks, or alarms.

Impact

Exploitation of this vulnerability could lead to unauthorized access to a victim's Tuya-connected devices via their Amazon Alexa account, allowing remote control of those devices.

Remediation

Users are advised to update the Tuya application to version 6.5.0 or above. Developers should also ensure that their applications are using the latest version of the Tuya SDK.