| タイトル | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Improper Certificate Validation |
|---|
| 説明 | An attacker located upstream from the Furbo device can intercept the HTTPS traffic and decrypt it by impersonating the server and certificate. This is due to the request being made with curl -k which ignores certificate checks. As a result, the attacker can decrypt the traffic and review the firehose logs which are transmitted to the server. These base64 encoded logs contain data about the user's account ID, device ID, configurations, and other information. With this, an attacker could perform more refined attacks against the device or the individual in possession of the device. |
|---|
| ユーザー | jTag Labs (UID 51246) |
|---|
| 送信 | 2025年09月23日 19:07 (7 月 ago) |
|---|
| モデレーション | 2025年10月11日 20:33 (18 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 328044 [Tomofun Furbo 360/Furbo Mini HTTP Traffic collect_logs.sh upload_file_to_s3 弱い認証] |
|---|
| ポイント | 17 |
|---|