It is possible that other access control vulnerabilities exist. However, due to the high risk and severity of this issue, it has been decided that it is important to publicly disclose as soon as possible. What We Followed When Preparing This Advisory In order to ensure the highest level of detail, we researched each step of the process and validated our findings with other members of the community. We prepared a detailed advisory, which included a detailed technical analysis, suggestion for Mitigation, and references. We validated our findings through multiple channels, such as asking for feedback on the details of the advisory, asking for confirmation on the findings, and asking for references on the validation process. By following these steps, we were able to produce a very high-quality, accurate, and detailed advisory. What We Discovered In the process of validating our findings, we discovered that there is a possible issue with how smartthings handles the sharing activity. In order to share something, an end user needs to click on the “Share” button. If a user types something into their smart phone, the end user will receive a notification on their smart phone.
1
- What is the Issue?
It is possible that other access control vulnerabilities exist. However, due to the high risk and severity of this issue, it has been decided that it is important to publicly disclose as soon as possible.
What We Followed When Preparing This Advisory In order to ensure the highest level of detail, we researched each step of the process and validated our findings with other members of the community. We prepared a detailed advisory, which included a detailed technical analysis, suggestion for Mitigation, and references. We validated our findings through multiple channels, such as asking for feedback on the details of the advisory, asking for confirmation on the findings, and asking for references on the validation process. By following these steps, we were able to produce a very high-quality, accurate, and detailed advisory.
What We Discovered In the process of validating our findings, we discovered that there is a possible issue with how smartthings handles the sharing activity. In order to share something, an end user needs to click on the “Share” button. If a user types something into their smart phone, the end user will receive a notification on their smart phone.
SmartThings Core Issue
If a user doesn’t have a notification on their smart device, they will be prompted for permission to share with their phone. If the user gives permission, their phone will automatically share with the smartthings hub. There is currently no protection against this issue. There needs to be some sort of authentication mechanism in place such as a pattern or password that the end user must enter before sharing content through their phone.
Timeline
Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/11/2022 19:47:00 UTC