| Title | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Improper Certificate Validation |
|---|
| Description | An attacker located upstream from the Furbo device can intercept the HTTPS traffic and decrypt it by impersonating the server and certificate. This is due to the request being made with curl -k which ignores certificate checks. As a result, the attacker can decrypt the traffic and review the firehose logs which are transmitted to the server. These base64 encoded logs contain data about the user's account ID, device ID, configurations, and other information. With this, an attacker could perform more refined attacks against the device or the individual in possession of the device. |
|---|
| User | jTag Labs (UID 51246) |
|---|
| Submission | 09/23/2025 19:07 (7 months ago) |
|---|
| Moderation | 10/11/2025 20:33 (18 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 328044 [Tomofun Furbo 360/Furbo Mini HTTP Traffic collect_logs.sh upload_file_to_s3 certificate validation] |
|---|
| Points | 17 |
|---|