Multiple vulnerabilities in Jacuzzi SmartTub app web interface could have disclosed private data to attackers, security researcher Eaton Zveare warns.
The experts attempted to notify the company without success, meantime the flaws have been addressed.
The SmartTub app, which is available for both iOS and Android, allows customers to remotely control the Jacuzzi SmartTub, such as setting the water temperature and turn on the water jet.
SmartTub is composed of a module inside the tub with cell data reception that can manage tub functionality, and the mobile app. The tub module is always connected to a central server, providing tub status updates and listening for commands.
To test the SmartTub the expert created an account using the app and testing it, such as adding the account password to the password manager and checking what website/URL should be associated with it. The expert noticed that the account confirmation email came from smarttub.io, so that is what I used.
“After setting the password in my password manager, I went to the smarttub.io site to see what was there. There was an Auth0-branded login page. SmartTub uses Auth0 for their login and user account system. If you don’t want to build your own login and user account system, Auth0 is a good choice and saves you a lot of time by providing a full & secure user account system out of the box. Anything you build from scratch is unlikely to be as secure as Auth0’s offerings.” reads a post published by the expert. “I entered my details, thinking this was a website alternative to the mobile app. I was greeted with an Unauthorized screen”
Right before that message appeared, the expert noticed a header and table briefly flash on his screen. Using a screen recorder he was able to capture it and discover the access page was for an admin panel populated with user data.
smarttub.io is hosted a single-page-application (SPA) built using React. The panel is built as a single-page-application (SPA) and the usernames and passwords were sent to a third-party verification platform Auth0.
The researcher was able to modify HTTP response using the Fiddler tool and was finally able to access to the admin panel.
Once authenticated to the portal, attackers can access users’ first and last names, email addresses, phone number (optional) and other sensitive data
“Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership.” concludes the expert.
The researcher reported the flaw to Jacuzzi Brands in December, and the company addressed it on 4 June.
(SecurityAffairs – hacking, Jacuzzi)