Vulnerabilities discovered by hacker Eaton Zveare in hot tub manufacturer Jacuzzi's SmartTub Internet interface compromised the data of owners worldwide.
The system allows users to control their hot tubs remotely through a companion Android or iPhone application, which has been downloaded more than 10,000 times.
Zveare said owners' names and emails could be leaked though the exploit, which he noticed when logging in using the SmartTub interface; the login page returned an "unauthorized" error, and briefly flashed a full admin panel filled with user data, including information for multiple hot tub brands.
The hacker used a tool called Fiddler to intercept and alter code that fooled the website into thinking he was an admin rather than an ordinary user, exposing the whole admin panel.
Zveare found two vulnerable admin panels, which Jacuzzi corrected after spotty communications, and without any formal acknowledgement.
View Full Article
Abstracts Copyright © 2022 SmithBucklin, Washington, DC, USA
No entries found