Gardyn User Account Information Exposure Vulnerability

A vulnerability exists in the Gardyn ecosystem, specifically within the Gardyn Home Kit and Gardyn Studio components. The issue arises from an API endpoint that exposes all user account information for registered Gardyn users without requiring authentication. This vulnerability allows unauthenticated users to access and control edge devices, cloud-based devices, and user information. It also enables pivoting to other edge devices managed in the Gardyn cloud environment.

Impact

Exploitation of this vulnerability could lead to unauthorized access to user account information, including limited personal details such as name, address, phone number, and email. It could also allow for remote control of Gardyn devices, potentially altering their lighting or watering functions.

Remediation

Users are advised to update their Gardyn mobile application to version 2.11.0 or later and ensure their Gardyn devices are upgraded to firmware version master.622 or later. Further information on Gardyn security can be found on the Gardyn security webpage. For customer support, contact Gardyn at support@mygardyn.com.