Meari OpenAPI Device Status IDOR Vulnerability Allowing WAN IP Disclosure

A vulnerability exists in Meari client applications that use 'com.meari.sdk', including CloudEdge version 5.5.0 build 220 and Arenti version 1.8.1 build 220. These applications can access the 'openapi-euce.mearicloud.com' endpoint to retrieve WAN IP information for any device, exploiting a server-side authorization flaw in the 'GET /openapi/device/status' API. This issue enables geolocation of devices without user authentication.

Impact

Exploitation of this vulnerability allows for unauthorized access to WAN IP addresses of devices, which can be used to geolocate those devices, potentially leading to stalking or profiling of individuals.

Reproduction

To reproduce this vulnerability, install a Meari client application such as CloudEdge or Arenti. After logging in, the static OpenAPI key embedded in the app can be used to sign a request to the 'openapi-euce.mearicloud.com' endpoint, targeting a specific device by its serial number. The response will include the device's WAN IP and relay information.