Jessie Nabein :neofox_peek_owo:
boosted
🐱 New Blog Post: Petlibro Smart Pet Feeder Vulnerabilities (Partially Fixed, $500)
Found critical vulns in Petlibro - one of the biggest smart pet feeder companies:
- Auth bypass via broken OAuth - just need Google ID (public info via Google APIs) to login as anyone
- Access any pet's data, devices, serial numbers, MAC addresses
- Hijack any device - change feeding schedules, access cameras
- Access private audio recordings (mealtime messages to pets)
- Add yourself as shared owner to any device
The worst part? They "fixed" the auth bypass by making a new endpoint... but left the old vulnerable one active for "legacy compatibility." Two months later, still working.
Also tried to get me to sign an NDA AFTER paying the bounty. That's not how contracts work.
Full writeup: https://bobdahacker.com/blog/petlibro
#InfoSec #BugBounty #ResponsibleDisclosure #IoT #Petlibro #Security #Privacy #CyberSecurity #SmartHome #OAuth
