| 제목 | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Improper Certificate Validation |
|---|
| 설명 | An attacker located upstream from the Furbo device can intercept the HTTPS traffic and decrypt it by impersonating the server and certificate. This is due to the request being made with curl -k which ignores certificate checks. As a result, the attacker can decrypt the traffic and review the firehose logs which are transmitted to the server. These base64 encoded logs contain data about the user's account ID, device ID, configurations, and other information. With this, an attacker could perform more refined attacks against the device or the individual in possession of the device. |
|---|
| 사용자 | jTag Labs (UID 51246) |
|---|
| 제출 | 2025. 09. 23. PM 07:07 (7 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 11. PM 08:33 (18 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 328044 [Tomofun Furbo 360/Furbo Mini HTTP Traffic collect_logs.sh upload_file_to_s3 약한 인증] |
|---|
| 포인트들 | 17 |
|---|