User data related to at least 500,000 Android accounts at risk

A chained, zero-day exploit could potentially expose all user data in the backend of the companion mobile application for a popular smart weight scale, security researchers have claimed.

Bogdan Tiron, managing partner at UK infosec firm Fortbridge, discovered five vulnerabilities in the Yunmai Smart Scale app, three of which he said could be combined to take over accounts and access user details such as name, gender, age, height, family relationship, and profile photo.

As of May 12, China-based IoT product vendor Zhuhai Yunmai Technology had apparently implemented a fix for only one of the flaws – and even then, Tiron said he managed to bypass the patch.

The flaws were discovered during a penetration test of the Yunmai Android and iOS apps.

Tipping the scales

The Yunmai Smart Scale and app allows users to record and track their weight, body-mass index (BMI), body fat percentage, visceral fat, and various other health indicators.

The Android application alone has been downloaded more than 500,000 times.

The chained exploit first involves abusing a UserID enumeration flaw by brute-forcing UserIDs into leaking parent uid (‘puId’) account values. puId values are then used to add child (‘family member’) accounts to registered parent accounts, made possible by the API’s failure to perform authorization checks.


Catch up on the latest IoT security news


Finally, when the family account is created the corresponding ‘accessToken’ and ‘refreshToken’ are leaked and could be leveraged by attackers “to impersonate the ‘family member’ accounts, switch between the accounts of the family members, and query all their data”, according to a blog post penned by Tiron.

A fourth flaw, meanwhile, means attackers could take over any user account because the Android ‘password reset’ function fails to properly invalidate previously generated ‘forgot password’ tokens when a user requests a new ‘forgot password’ token (the function did not work at all on the iOS app).

“As a result, an attacker can request multiple tokens to be sent to the victim’s email, in order to increase his chances of guessing that code and changing the victim’s password,” said Tiron.

The fifth and final flaw saw the researcher bypass a limit of 16 family members per primary account, as the limit is enforced client-side but not server-side.

Partial patch

Tiron disclosed the flaws during September and October 2021. Yunmai’s support team responded to the initial disclosure, but the development team still has not replied, with Fortbridge last emailing them directly on May 18.

Tiron published his findings on May 30.

“To the best of my knowledge none of the findings have been fixed,” the researcher told The Daily Swig. “Last time I have checked on 12th of May, all findings were still unpatched.”

The researcher said he successfully circumvented the sole observed fix, for the ‘forgot password’ issue.

“Unfortunately, Yunmai users are exposed to these issues and there’s nothing they can do to protect themselves at the application level, because these are all issues with the backend API and only Yunmai developers can fix them,” Tiron continued.

“IoT devices have gained a bad reputation in terms of security in the last couple of years and it’s sad to see that things have not improved. We would have expected that Yunmai did at least a pen test before releasing this product or at least that they would have been more responsive when we reached out to them.”

We have invited Zhuhai Yunmai Technology to comment on these findings and will update the article if and when they reply.

As previously reported by The Daily Swig, Fortbridge research has last year included the discovery of serious remote code execution (RCE) vulnerabilities in popular open source content management systems (CMS’) Concrete and Joomla, as well as in web hosting platform cPanel & WHM.


YOU MIGHT ALSO LIKE Horde Webmail contains zero-day RCE bug with no patch on the horizon