1.7M Password hashes, No Auth Required Access Tokens

Disclosed by
superevr
  • Engagement Undisclosed
  • Disclosed date almost 3 years ago
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Informational This vulnerability is seen as an accepted business risk
Summary by superevr

If you have a Wemo account, change your password as soon as possible.

Report details

  • Submitted

  • Target Location

    Wemo

  • Target category

    Hardware Testing

  • VRT

    Sensitive Data Exposure > Disclosure of Secrets > For Publicly Accessible Asset

  • Priority

    P1
  • Bug URL
    https://appapis.xwemo.com:8443/transition-service/rest/accountEntities
  • Description

    Not to cause offense, but this is probably one of the most egregious security vulnerabilities I have ever found. I found this entirely by accident, while trying to troubleshoot my own Wemo's so that they could turn on my Christmas lights.

    Web service Endpoints did not have any authentication to access. For example:

    1. https://appapis.xwemo.com:8443/transition-service/rest/accountEntities
      The provided URL provides the username and password hash of all wemo user accounts. The hash is base64 encoded SHA256. It's not salted, and so it is very vulnerable to brute-force attacks.

    2. https://appapis.xwemo.com:8443/transition-service/rest/sessionEntities
      The provided URL has authentication tokens for all wemo users.

    Both 1 and 2 could be used to directly login and control another users Wemo devices.

    Additionally, another URL appears to be related to backend processes, as it contains active Salesforce authentication tokens:
    https://appapis.xwemo.com:8443/transition-service/rest/salesforceTokenEntities

    I started to write up a report for this, but once I discovered the hashes, I looking and submitted this form.

Activity