IoT Device Vulnerabilities in Smart Pet Feeders: Petlibro Exposes Pet, User and Employee Details
Published
Key Takeaways
- Critical Authentication Bypass: A major flaw could allow complete account takeover for any user with a Google login, as the API failed to validate OAuth tokens.
- Widespread Data Exposure: These permitted unauthorized access to pet information, device serial numbers, private audio recordings, and the hijacking of device functions.
- Delayed Remediation: While most issues were patched, the critical authentication bypass remained active for over 2 months due to "legacy compatibility" reasons.
Multiple severe security flaws have been discovered in Petlibro's ecosystem, a popular manufacturer of smart pet feeders and other IoT pet products, including an authentication bypass that permitted logging in as any user, a lack of ownership checks that allowed access to anyone's pet details, and hijacking devices, exposing device serial numbers, MAC addresses, and private audio recordings.
Petlibro Authentication Bypass Flaw
One of the identified vulnerabilities was a critical authentication bypass issue that allowed complete takeover of any user account that uses Google logins.Â
The vulnerability resided in a legacy API endpoint that failed to properly verify OAuth tokens, instead accepting a publicly accessible Google ID as a form of authentication.Â
This fundamental design flaw enabled an attacker to gain full session control over any target account with just an email address.
Petlibro Data Exposure Risks
The report said the vulnerabilities created significant risks for smart pet feeders, extending beyond account access. The researcher found that multiple API endpoints lacked proper authorization checks, resulting in a cascade of data exposures:
- Complete account takeover of any user (customer or employee)
- Access to private audio recordings
- Device hijackingÂ
- Pet data exposure
An attacker could query for any pet's detailed information, including breed, weight, and photos.Â
This access also revealed the serial numbers and MAC addresses of linked devices, which could permit a malicious actor to hijack device functions, such as changing feeding schedules or viewing camera feeds, and access private audio recordings used for mealtime calls.
Furthermore, attackers could add themselves as a shared owner to any device, with the response disclosing the original owner's email.
Company Response and Patching Delays
According to the researcher's disclosure timeline, Petlibro acknowledged the report and eventually patched the vulnerabilities. Yet, the company left the critical authentication bypass issue active for over 2 months after disclosure, citing the need to support legacy app versions.Â
While a new, secure endpoint was created, the vulnerable one allegedly remained operational, leaving users exposed. The endpoint was reportedly only removed after the researcher published their findings.Â
A December report highlighted the risks posed by outdated embedded browsers in smart TVs, gaming apps, and game consoles.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Saturday.
Most Popular