Numerous bugs riddled the security of the Chinese-made Yunmai Smart Scale devices. The vulnerabilities specifically affect the Yunmai Smart Scale app, exploiting which could allow an adversary to access users’ personal data. While the vendors fixed one of the bugs, it still remained possible to bypass the patch.
Yunmai Smart Scale App Vulnerabilities
The London-based cybersecurity firm Fortbridge has shared a detailed post elaborating on the five different vulnerabilities in the Yumnai Smart Scale app.
As explained, exploiting the bugs could allow various malicious actions. Notably, an adversary could even chain the exploits to takeover target accounts.
The bugs affected the Smart Scale’s mobile app for Android and iOS devices. The app allows users to gain more information about their health status, like BMI, weight progress graphs, visceral fat percentage, and similar parameters.
These details indicate that the app stores much more information about the users than they can imagine. Hence, any vulnerabilities exposing such explicit personal data risk a victim adversely, disclosing more than names, birth dates, and gender.
About the bugs discovered
According to the researcher Bogdan Tiron, the vulnerabilities in the app include,
- Family members limit bypass: the app allows a user to add up to 16 family members, creating separate “child accounts” to the “parent” account. However, an adversary could exploit the flaw to add more child accounts.
- UserID enumeration: brute-forcing the last five digits by extracting a single userID could reveal information about the other child account users. The exposed data would include the userIDs, names, gender, dates of birth, profile pictures, and puIds (userID of primary or “parent” accounts).
- Ineffective authorization checks: due to the lack of proper authorization checks, an adversary could delete an account by adding the target userID to the ‘delUserId’ parameter. Likewise, adding a user account would be possible by abusing the victim’s puId value.
- Information leak: since adding a family member account leaks ‘accessToken’, and the ‘refreshToken’ of the new account from the server, an adversary could exploit it to gain elevated privileges and take over the target primary account.
- Account takeover through ‘forgot password’ functionality: An adversary could request multiple tokens to guess the code due to poor to none “forgot password” token validation.
Tiron further explained that chaining the last three vulnerabilities could allow unrestricted access of an adversary to the target account. He has shared the technical details about the flaws in the post.
Incomplete Patches And Bypass
Following this discovery, the researcher contacted the app developers to report the bugs. While the vendors seemingly fixed the “forgot password” vulnerability, the researcher could still bypass the fix. Whereas the other four vulnerabilities still demand their attention.
Despite multiple attempts to reach out to the developer team and the failure of the vendors to deploy timely fixes, Tiron stepped ahead with the public disclosure.