[Redacted] is one of the largest seller in Air Conditioners in Middle East, China, North America, South America and Asia. With the rapid change in technology [Redacted] decided to provide an application which will be connected to the Internet and for customer’s ease they can manage their Air Conditioner from application.
Sounds great news? Well it is. You can manage different profiles from your single application. For example, In summers while you’re leaving for home and you want to turn on your room air conditioner so you don’t have to come home and manually start it, All you need is few clicks and voila!
The application has brought ease to some extent. But, for once did anyone thought of privacy or application security as how all of this would be managed since the application will be exposing your Air conditioner over the internet?
Having instinct to really look into application security which involves customer’s private data, I found certain modules worth concerning for somebody like me to dig down and find out how the application architecture works and how does it conceals/protects customer’s data. A Basic enumeration brought me to the point that all the devices/air conditioners registered via application are presented to the back-end administrator on a dashboard which further is divided according to the region. For instance, if someone from North America has registered their device through app, the back-end panel administrator would easily be able to view the details and activity.
(Screenshot attached, removed private data as I don’t want to expose customer’s confidential data in public).
So my device is being monitored/watched by the [Redacted] authorities? YES you’re right. This CMS provide an insight about the user’s location, IP address and other critical details that pertained to customer.
While in all of this, I forgot to mention the android application uses insecure methodologies for data communication i.e. the APIs are travelling over HTTP with no SSL pinning. Anyone with malicious intentions can intercept or read the traffic going to and from the application and can get credentials easily. Wait? Is it for real, YES it is. All you need is the token and you can modify details. Just in the example below an attempt was made to modify Nickname
This is not limited to only mentioned above. If you want to delete your account, you’re asked for current password. Sadly, it doesn’t validate current password entered, hence deleting account without authorization.
Oh yeah, The signatures for example dataVC and all, here’s the snippet of code that generates signatures to validate requests.
With a little enumeration of their web server, I was able to find directory of IIS hosting web application.
Timeline Of Contacting Vendor :
Reported To Vendor : Mon, Sep 3, 2018.
Reported To Vendor Again : Tue, Oct 4, 2018.
Follow-up with Vendor : Tue, Nov 20, 2018.
Public Disclosure : Mon, 4 Feb, 2019.
The mentioned vulnerabilities were reported to [Redacted]. Since no response received till date, I approached CVE and generated ID for the subject vulnerability in order to educate public about the intensity of it.
Note : This is for educational purpose. All of the vulnerabilities/bugs were responsibly reported to [Redacted] before making this Post.