Security researcher BobDaHacker discovered multiple critical vulnerabilities in the Petlibro smart pet feeder system. The most severe is an **authentication bypass** allowing attackers to log in to *any* account using publicly available Google IDs. Petlibro acknowledged the issues and offered a $500 bounty, but has left the vulnerable login endpoint active for "legacy compatibility" over two months after initial reporting, despite promising a fix.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
