YoSmart YoLink Application Session Token Vulnerability

A vulnerability exists in the YoSmart YoLink application, specifically in versions prior to October 2, 2025, due to session tokens that have unexpectedly long lifetimes. This flaw allows for prolonged unauthorized access to user accounts.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user accounts for an extended period, allowing attackers to control connected YoLink devices remotely. This could include unlocking smart locks or opening garage doors, depending on the devices linked to the user's account.

Reproduction

The vulnerability can be reproduced by logging into the YoSmart YoLink application and observing the session token issued. This token can be used to access the user's account and control connected devices. The long lifetime of the token allows for continued access without re-authentication.