According to a security researcher, flaws in the online interface of Jacuzzi’s SmartTub app could have allowed an attacker to view and perhaps change personal data of hot tub owners.
SmartTub also has a module that sits inside hot tubs and delivers status updates and fulfils instructions like setting water temperature, turning on water jets or lighting, and so on – however there’s no indication that this capability was impacted by the issues.
Eaton Zveare was able to get past the Smarttub.io login screens and into two admin panels that were only meant for internal usage. Although the problems have been fixed, Zveare claims he was not informed of the fixes and that Jacuzzi failed to respond to most of his emails. Jacuzzi has yet to respond to our request for an interview. If and when they do, we’ll update this article.
According to the researcher, exploiting the flaws disclosed the first and last names, as well as email addresses, of people all over the world. “It would be straightforward to construct a script to extract all user information,” he cautioned in a technical write-up. It’s possible that it’s been done before.”
‘Staggering’
The initial admin panel was reached after a login attempt with Zveare’s customer credentials resulted in a ‘unauthorised’ page, but was preceded by a redirect to the admin panel captured with a screen recorder – “blink and you’d miss it.”
This security issue exposed data from numerous Jacuzzi brands in the United States and elsewhere.
Usernames and passwords were transferred to third-party authentication platform Auth0 for validation, according to a JavaScript package for Smarttub.io’s single-page-application (SPA).
Zveare masked himself as an admin by modifying the HTTP response with the Fiddler tool, giving him complete access to the admin panel and a “staggering” amount of data.
“I could examine every spa’s data, see who owned it, and even delete their ownership,” he explained. “I was able to see and edit every user account.” Zveare, on the other hand, declined to examine “if any alterations would genuinely save.”
Backend services
Despite the fact that the second admin console’s login screen was not Auth0-branded, it “seemed” to accept his credentials, but a JavaScript browser alert declined authorization.
The code for browser alert and isAdmin check was included in the corresponding JavaScript bundle, and he pointed out that the second panel, in addition to the admin and user groups shown on the first panel, also included admin tools and development groups.
The researcher used Chrome’s Local Overrides feature to load a customised JavaScript bundle file that forced canUseTools, checkAdmin, and checkDevTeam to always return true. “This way, I didn’t have to intercept the HTTP response every time I wanted to change the groups,” Zveare explained.
Manufacturing records, a serial number updating area, and options to prolong your cell (mobile) data subscription – “or shorten someone else’s” – as well as create, change, and delete tub colours, models, and licenced hot tub dealers – were all revealed.
Fraught disclosure
Zveare outlined a lengthy disclosure process that began with an initial notification on December 3 that apparently went unanswered.
On January 4, Zveare called Auth0 for assistance, and the authentication provider quickly replicated the problem, contacted Jacuzzi, and discovered that the initial admin panel had been disabled.
On June 4, he saw that the second admin panel had finally been secured, and on June 20, he publicly reported the flaws.
“A dialogue was not formed until Auth0 stepped in after several contact attempts using three distinct Jacuzzi/SmartTub email accounts and Twitter,” Zveare stated.
“Even after that, contact with Jacuzzi/SmartTub slowed to a halt, with no formal conclusion or recognition that all stated concerns had been resolved.” The researcher, on the other hand, commended the Auth0 security team for assisting despite not being obligated to do so. “Without their help, this disclosure would have very likely stagnated,” he added.
