How I found critical vulnerabilities in Petlibro smart pet feeders allowing complete account takeover via broken OAuth, access to anyone's pet data, device hijacking, and private audio recordings - and how they're still leaving the auth bypass active for 'legacy compatibility' two months later.

I was looking at the Petlibro app - they make smart pet feeders, water fountains, and other IoT pet products. Millions of pet owners use these things to feed their cats and dogs remotely.

What I found was… a lot.

  • mfed1122@discuss.tchncs.deEnglish
    9·
    23 days ago

    $500 seems offensively low for how bad this is. This is the second vulnerability I’ve seen from this guy where the company security seemed just unbelievably bad. Like it’s basically non-existent.

    • winkerjadams@lemmy.dbzer0.comEnglish
      2·
      23 days ago

      There’s no consequences or accountability when they get hacked so they have no reason to care. Its just $500 gone with no potential profit to them. And capitalism gonna capitalism

  • Pistcow@lemmy.worldEnglish
    91·
    23 days ago

    I went from a Ruckus to Ubiquiti setup for my house and saw soooo much more with unifi.

    My dog treat dispenser was sending a ton of traffic to China.

    • greybeard@feddit.onlineEnglish
      4·
      23 days ago

      There are several “smart” technologies that are designed to be local. In my house, I have an old Dell Micro PC that has a zigbee antenna on it. All of my smart lights and switches are zigbee. Zigbee is a low power, offline, wireless meshing standard for IOT that doesn’t have any concept of “internet” or “routing”. It all runs through home assistant, a privacy respecting home automation platform. Home Assistant also plugs into lots of other devices in my house.