Meari IoT Cloud Unauthenticated Access to Alert Images on Alibaba OSS

A vulnerability exists in the Meari IoT Cloud service, specifically in the storage of alert images on Alibaba OSS. Motion snapshots can be accessed without authentication, signed URLs, or expiration enforcement. The URLs, which act as direct object references, remain valid indefinitely, leading to unauthorized access to private indoor and baby-monitor camera images.

Impact

Exploitation of this vulnerability allows unauthorized parties to access sensitive visual data from baby monitors, including private moments such as breastfeeding and diaper changes. The lack of expiration on the image URLs means that this access can be persistent, creating ongoing privacy violations.

Reproduction

The vulnerability can be reproduced by subscribing to the MQTT broker with a free CloudEdge account. Once subscribed, motion alert messages containing unencrypted URLs to the alert images can be intercepted. These URLs can then be accessed directly, without any authentication or expiry.