A security researcher claims that flaws in the online interface of Jacuzzi’s SmartTub app might have allowed an attacker to see and perhaps change the personal information of hot tub owners. The SmartTub also has a module that lies inside hot tubs, delivers status updates, and fulfills instructions like adjusting water temperature, turning on water jets or lighting, etc. However, there’s no indication that this capability was impacted by the incident.
Eaton Zveare could get past the Smarttub.io login screens and into two admin panels that were only meant for internal usage. Although the problems have been fixed, Zveare claims he was not informed of the improvements and that Jacuzzi failed to respond to most of his emails. Jacuzzi has yet to respond to a request for an interview. According to the researcher, exploiting the flaws disclosed the first and last names, as well as email addresses, of people all over the world. “It would be trivial to create a script to download all user information,” he cautioned in a technical write-up. It’s possible it’s already been done.”
The initial admin panel was reached after a login attempt with Zveare’s customer credentials resulted in an ‘unauthorized’ page but was preceded by a redirect to the admin panel caught with a screen recorder – “blink and you’d miss it.” This security issue exposed data from numerous Jacuzzi brands in the United States and elsewhere. According to a JavaScript package for Smarttub.io’s single-page application (SPA), usernames and passwords were transferred to third-party authentication provider Auth0 for validation. Zveare masked himself as an admin by modifying the HTTP response using the Fiddler tool, allowing him complete access to the admin panel and a “staggering” quantity of data.
“I could view the details of every spa, see its owner, and even remove their ownership”, he explained. “I could view every user account and even edit them.” On the other hand, Zveare declined to examine “if any changes would actually save.”
Even though the second admin console’s login screen was not Auth0-branded, it “seemed” to accept his credentials, but a JavaScript browser alert declined authorization. The code for browser alert and isAdmin check was included in the relevant JavaScript bundle. He pointed out that the second panel, in addition to the admin and user groups shown on the first panel, also included admin tools and development groups.
The researcher used Chrome’s Local Overrides feature to load a customized JavaScript bundle file that caused canUseTools, checkAdmin, and checkDevTeam to always return true. “This way, I didn’t need to intercept the HTTP response each time to modify the groups,” Zveare explained. Manufacturing records, a serial number updating area, and options to prolong your cell (mobile) data subscription – “or shorten someone else’s” – as well as create, change, and remove tub colors, models, and licensed hot tub dealers – were all disclosed.
Zveare outlined a lengthy disclosure procedure that began with an initial notification on December 3 that went unanswered. On January 4, he called Auth0 for assistance, and the authentication provider quickly replicated the problem, contacted Jacuzzi, and discovered that the initial admin panel had been disabled. On June 4, he saw that the second admin panel had finally been protected, and on June 20, he publicly reported the flaws.
“After multiple contact attempts through three different Jacuzzi/SmartTub email addresses and Twitter, a dialog was not established until Auth0 stepped in,” said Zveare. “Even then, communication with Jacuzzi/SmartTub eventually dropped off completely, without any formal conclusion or acknowledgement they have addressed all reported issues.”
On the other hand, the researcher commended the Auth0 security team for assisting despite not being obligated to do so. “Without their assistance, this disclosure would probably have remained stalled,” he added.
