At least 500,000 Android accounts have had their data compromised.
According to security researchers, a chained zero-day attack could potentially expose all user data in the backend of the companion mobile app for a popular smart weight scale.
Bogdan Tiron, managing partner at UK infosec firm Fortbridge, uncovered five vulnerabilities in the Yunmai Smart Scale app, three of which he claims may be used to take over accounts and gain access to user information such as name, gender, age, height, family relationship, and profile photo.
Only one of the issues had allegedly been fixed as of May 12 by China-based IoT product vendor Zhuhai Yunmai Technology — and even then, Tiron said he was able to get around the patch. During a penetration test of the Yunmai Android and iOS apps, the weaknesses were uncovered.
Tipping the scales
Users can record and track their weight, body mass index (BMI), body fat percentage, visceral fat, and other health indicators using the Yunmai Smart Scale and app. More than 500,000 people have downloaded the Android app alone.
The first part of the chained exploit includes brute-forcing UserIDs into revealing parent uid (‘puId’) account data by exploiting a UserID enumeration issue. Due to the API’s failure to execute authorization checks, puId values are then used to add child (‘family member’) accounts to registered parent accounts.
Finally, when a family account is formed, the related ‘accessToken’ and’refreshToken’ are disclosed, allowing attackers to “impersonate the ‘family member’ accounts, switch between the family members’ accounts, and query all their data,” according to Tiron’s blog post.
Meanwhile, the Android ‘password reset’ function fails to correctly invalidate previously produced ‘forgot password’ tokens when a user requests a new ‘forgot password’ token, allowing attackers to take over any user account (the function did not work at all on the iOS app).
“As a result, an attacker can send many tokens to the victim’s email address in order to boost his chances of guessing the code and altering the victim’s password,” Tiron explained.
The researcher exploited the fifth and final issue by circumventing a limit of 16 family members per primary account, which is enforced client-side but not server-side.
Partial patch
The issues were revealed by Tiron in September and October 2021. The support team at Yunmai responded to the original revelation, but the development team has yet to answer, despite Fortbridge’s final contact to them on May 18.
Tiron published his findings on May 30
The researcher told The Daily Swig, “To the best of my knowledge, none of the findings have been changed.” “All discoveries were still unpatched the last time I checked on the 12th of May.” According to the researcher, he was able to get around the only known patch for the ‘lost password’ problem.
“Unfortunately, Yunmai users are vulnerable to these flaws, and there’s nothing they can do at the application level to protect themselves,” Tiron stated. “These are all issues with the backend API, and only Yunmai developers can fix them.”
“In the previous couple of years, IoT devices have developed a bad reputation in terms of security, and it’s disappointing to see that things haven’t improved. We would have expected Yunmai to conduct at least a pen test prior to releasing this product, or at the very least to be more responsive when we contacted them.”
We’ve asked Zhuhai Yunmai Technology for their thoughts on these findings, and we’ll update the article as soon as they respond. Fortbridge research last year includes the discovery of major remote code execution (RCE) vulnerabilities in popular open-source content management systems (CMS’) Concrete and Joomla, as well as web hosting platform cPanel & WHM, as previously reported by The Daily Swig.
