| Title | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074 ) Information Disclosure |
|---|
| Description | An attacker within Bluetooth Low Energy (BLE) range of the Furbo Mini device can read a GATT characteristic that leaks the device’s DeviceToken. This token is used to authenticate the device with Furbo’s back end services. If intercepted, an attacker can reuse the DeviceToken to re-register the victim’s device to a rogue account, effectively disabling the victim’s access and ability to use their device. |
|---|
| Source | ⚠️ https://github.com/dead1nfluence/Furbo-Advisories/blob/main/Information-Disclosure-DeviceToken.md |
|---|
| User | jTag Labs (UID 51246) |
|---|
| Submission | 09/25/2025 20:56 (9 months ago) |
|---|
| Moderation | 10/11/2025 20:34 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 328058 [Tomofun Furbo 360/Furbo Mini GATT Service DeviceToken information disclosure] |
|---|
| Points | 19 |
|---|