Gardyn Home Kit and Studio Remote User Profile Pivot Vulnerability

A vulnerability exists in the Gardyn Home Kit and Gardyn Studio ecosystems, specifically within the Gardyn Cloud API. The issue allows authenticated users to access other user profiles by altering the ID number in the API call. This vulnerability could lead to unauthorized access to personal information and cloud-based devices managed within the Gardyn environment.

Impact

Exploitation of this vulnerability could allow authenticated users to access and control other users' edge devices, cloud-based devices, and personal information, including limited data such as names, addresses, phone numbers, and email addresses.

Remediation

Users are advised to update their Gardyn mobile application to version 2.11.0 or later and ensure their Gardyn Home Kit and Studio devices are upgraded to firmware version master.622 or later. Further information on Gardyn security can be found on the Gardyn security webpage, and customer support is available via email at support@mygardyn.com.