Security researcher BobDaHacker discovered multiple critical vulnerabilities in the Petlibro smart pet feeder system. The most severe is an **authentication bypass** allowing attackers to log in to *any* account using publicly available Google IDs. Petlibro acknowledged the issues and offered a $500 bounty, but has left the vulnerable login endpoint active for "legacy compatibility" over two months after initial reporting, despite promising a fix.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
Other vulnerabilities included:
* Viewing details of any pet by ID.
* Obtaining serial numbers and MAC addresses.
* Manipulating feeding schedules, camera feeds, and settings without authentication.
* Retrieving mealtime messages recorded by owners.
* Gaining access to devices by adding oneself as a shared owner.
This week's security roundup covers the Anubis web AI firewall, AI exploit generation, a vulnerability in CodeRabbit, the potential illegality of adblocking in Germany, a Microsoft Copilot audit log issue, and a disputed Elastic EDR vulnerability.
US crosswalk buttons were hijacked to play AI-generated voices of prominent figures like Bezos, Musk, and Zuckerberg. The hack exploited a default password (1234) on Polara's Field Service app, which allowed unauthorized configuration of the crosswalk signals.
The US government initially ended funding for the Common Vulnerabilities and Exposures (CVE) database. However, funding has been restored through the CVE Foundation and CISA. This article covers CVE from the perspective of effects on Android alone.
Two security vulnerabilities have been disclosed in the Mailcow open-source mail server suite that could be exploited by malicious actors to achieve arbitrary code execution on susceptible instances.
