Security researcher BobDaHacker discovered multiple critical vulnerabilities in the Petlibro smart pet feeder system. The most severe is an **authentication bypass** allowing attackers to log in to *any* account using publicly available Google IDs. Petlibro acknowledged the issues and offered a $500 bounty, but has left the vulnerable login endpoint active for "legacy compatibility" over two months after initial reporting, despite promising a fix.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
Brother printers (and printers from Fujifilm, Ricoh, Toshiba, and Konica Minolta) are affected by multiple vulnerabilities discovered by Rapid7, including a critical, unpatchable flaw (CVE-2024-51978) allowing attackers to generate default admin passwords if they know the device's serial number. While seven of the eight vulnerabilities have been patched, the critical one requires a manufacturing process change by Brother. The primary mitigation is to change the default administrator password.
US crosswalk buttons were hijacked to play AI-generated voices of prominent figures like Bezos, Musk, and Zuckerberg. The hack exploited a default password (1234) on Polara's Field Service app, which allowed unauthorized configuration of the crosswalk signals.
