Hacking

Vulnerabilities in the Jacuzzi SmartTub app could allow to access users’ data

Researchers discovered multiple vulnerabilities in Jacuzzi SmartTub app web interface that can expose private data.

Multiple vulnerabilities in Jacuzzi SmartTub app web interface could have disclosed private data to attackers, security researcher Eaton Zveare warns.

The experts attempted to notify the company without success, meantime the flaws have been addressed.

The SmartTub app, which is available for both iOS and Android, allows customers to remotely control the Jacuzzi SmartTub, such as setting the water temperature and turn on the water jet.

SmartTub is composed of a module inside the tub with cell data reception that can manage tub functionality, and the mobile app. The tub module is always connected to a central server, providing tub status updates and listening for commands.

To test the SmartTub the expert created an account using the app and testing it, such as adding the account password to the password manager and checking what website/URL should be associated with it. The expert noticed that the account confirmation email came from smarttub.io, so that is what I used.

“After setting the password in my password manager, I went to the smarttub.io site to see what was there. There was an Auth0-branded login page. SmartTub uses Auth0 for their login and user account system. If you don’t want to build your own login and user account system, Auth0 is a good choice and saves you a lot of time by providing a full & secure user account system out of the box. Anything you build from scratch is unlikely to be as secure as Auth0’s offerings.” reads a post published by the expert. “I entered my details, thinking this was a website alternative to the mobile app. I was greeted with an Unauthorized screen”

Right before that message appeared, the expert noticed a header and table briefly flash on his screen. Using a screen recorder he was able to capture it and discover the access page was for an admin panel populated with user data.

smarttub.io is hosted a single-page-application (SPA) built using React. The panel is built as a single-page-application (SPA) and the usernames and passwords were sent to a third-party verification platform Auth0.

The researcher was able to modify HTTP response using the Fiddler tool and was finally able to access to the admin panel.

Once authenticated to the portal, attackers can access users’ first and last names, email addresses, phone number (optional) and other sensitive data

“Once into the admin panel, the amount of data I was allowed to was staggering. I could view the details of every spa, see its owner and even remove their ownership.” concludes the expert.

The researcher reported the flaw to Jacuzzi Brands in December, and the company addressed it on 4 June.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Jacuzzi)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

5 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

17 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

21 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

1 day ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.