A security researcher has uncovered several vulnerabilities, including a critical issue that exposed sensitive information, on the website of home automation company Nest Labs.
Evan Ricafort, an expert based in the Philippines, reported his findings to Google, which acquired Nest Labs earlier this year for $3.2 billion in cash.
The most serious of the security holes identified by the researcher is a file upload vulnerability affecting the certified.nest.com subdomain. According to Ricafort, the flaw could have been leveraged to upload a shell that enabled access to the personal and financial details of Nest customers, including credentials, payment card information, and scanned copies of identification documents such as passports and ID cards.
In a video demonstration published last week on his personal blog, Ricafort showed that an attacker could upload arbitrary files by abusing a feature designed to allow members of the Nest Certified Program to upload reseller certificates. By uploading a shell to the website, he claims to have gained access to hundreds of records.
After being informed of the existence of the vulnerability, Google’s security team told Ricafort that the affected domain is run by a third-party vendor and informed him that the company could not authorize him to conduct tests on it. The issue is out of scope so it’s not eligible for a monetary reward, but Google has offered to list the researcher’s name in the company’s “hall of fame.”
“Although it’s a heartbreaking result for an arbitrary file upload vulnerability, I don’t have any choice but to respect their decision,” the expert said.
The security hole has been addressed by restricting access to the certified.nest.com domain. Visitors are now being redirected to pro.nest.com, a domain for those who want the become authorized to sell and install Nest products such as thermostats and smoke alarms.
On this Nest Pro website, Ricafort later identified two stored cross-site scripting (XSS) vulnerabilities. Google has determined that these issues are eligible for the company’s bug bounty program so it has rewarded the researcher with $100 for each of the bugs.
Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Cisco to Acquire Splunk for $28 Billion
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
- Omron Patches PLC, Engineering Software Flaws Discovered During ICS Malware Analysis
- Intel Launches New Attestation Service as Part of Trust Authority Portfolio
- Atos Unify Vulnerabilities Could Allow Hackers to Backdoor Systems
- SASE Firm Cato Networks Raises $238 Million at $3 Billion Valuation
- Clorox Blames Damaging Cyberattack for Product Shortage
- Trend Micro Patches Exploited Zero-Day Vulnerability in Endpoint Security Products
Latest News
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
- Every Network Is Now an OT Network. Can Your Security Keep Up?
- Navigating the Digital Frontier in Cybersecurity Awareness Month 2023
- TransUnion Denies Breach After Hacker Publishes Allegedly Stolen Data
- Legit Security Raises $40 Million in Series B Financing
- Cisco to Acquire Splunk for $28 Billion
- Atlassian Security Updates Patch High-Severity Vulnerabilities
- Car Cybersecurity Study Shows Drop in Critical Vulnerabilities Over Past Decade
