Security experts have discovered that a chained, zero-day attack may potentially leak all user data in the backend of the companion mobile application for a renowned smart weight scale. Bogdan Tiron, the managing partner at UK infosec firm Fortbridge, uncovered five flaws in the Yunmai Smart Scale app, three of which he claims might be used to take over accounts and gain access to user information such as name, age, gender, family relationship, height, and profile photo.
Only one of the issues had allegedly been fixed as of May 12 by China-based IoT device provider Zhuhai Yunmai Technology — and even then, Tiron said he was able to get around the patch. The weaknesses were uncovered during a penetration test of the Yunmai Android and iOS applications.
Users may record and track their weight, body mass index (BMI), body fat percentage, visceral fat, and other health indicators using the Yunmai Smart Scale and app. More than 500,000 people have downloaded the Android app alone. The first part of the chained exploit includes brute-forcing UserIDs into revealing parent uid (‘puId’) account data by exploiting a UserID enumeration issue. Due to the API’s inability to execute permission checks, puId values are then used to add child (‘family member’) accounts to registered parent accounts.
Eventually, when a family account is formed, the related ‘accessToken’ and ‘refreshToken’ are disclosed, allowing attackers to “impersonate the ‘family member’ accounts, switch between the family members’ accounts, and query all their data,” as per Tiron’s blog post. Meanwhile, the Android’ password reset’ function fails to correctly invalidate previously produced ‘forgot password’ tokens when a user requests a new ‘forgot password’ token, allowing attackers to control any user account (the function didn’t work at all on the iOS app).
“As a result, an attacker can request multiple tokens to be sent to the victim’s email, in order to increase his chances of guessing that code and changing the victim’s password,” said Tiron.
The researcher exploited the fifth and final issue by circumventing a restriction of 16 family members per primary account, which is enforced client-side but not server-side. The flaws were revealed by Tiron in September and October 2021. The support team at Yunmai reacted to the original revelation, but the development team has yet to answer, despite Fortbridge’s last contact with them on May 18. Tiron’s findings were published on May 30. According to the researcher, he could get around the only known patch for the ‘lost password’ problem.
“Unfortunately, Yunmai users are exposed to these issues and there’s nothing they can do to protect themselves at the application level, because these are all issues with the backend API and only Yunmai developers can fix them,” Tiron continued. “IoT devices have gained a bad reputation in terms of security in the last couple of years and it’s sad to see that things have not improved. We would have expected that Yunmai did at least a pen test before releasing this product or at least that they would have been more responsive when we reached out to them.”
Zhuhai Yunmai Technology has been asked to provide their opinions on the findings. However, no response has yet been received. As reported earlier, Fortbridge discovered major remote code execution (RCE) flaws in prominent open-source content management systems (CMS) Concrete and Joomla and web-hosting platform cPanel & WHM last year.