Connect with us

Hi, what are you looking for?



Vulnerabilities Found in Website of Google-Owned Nest

A security researcher has uncovered several vulnerabilities, including a critical issue that exposed sensitive information, on the website of home automation company Nest Labs.

A security researcher has uncovered several vulnerabilities, including a critical issue that exposed sensitive information, on the website of home automation company Nest Labs.

Evan Ricafort, an expert based in the Philippines, reported his findings to Google, which acquired Nest Labs earlier this year for $3.2 billion in cash.

The most serious of the security holes identified by the researcher is a file upload vulnerability affecting the subdomain. According to Ricafort, the flaw could have been leveraged to upload a shell that enabled access to the personal and financial details of Nest customers, including credentials, payment card information, and scanned copies of identification documents such as passports and ID cards.

In a video demonstration published last week on his personal blog, Ricafort showed that an attacker could upload arbitrary files by abusing a feature designed to allow members of the Nest Certified Program to upload reseller certificates. By uploading a shell to the website, he claims to have gained access to hundreds of records.

After being informed of the existence of the vulnerability, Google’s security team told Ricafort that the affected domain is run by a third-party vendor and informed him that the company could not authorize him to conduct tests on it. The issue is out of scope so it’s not eligible for a monetary reward, but Google has offered to list the researcher’s name in the company’s “hall of fame.”

“Although it’s a heartbreaking result for an arbitrary file upload vulnerability, I don’t have any choice but to respect their decision,” the expert said.

The security hole has been addressed by restricting access to the domain. Visitors are now being redirected to, a domain for those who want the become authorized to sell and install Nest products such as thermostats and smoke alarms.

 On this Nest Pro website, Ricafort later identified two stored cross-site scripting (XSS) vulnerabilities. Google has determined that these issues are eligible for the company’s bug bounty program so it has rewarded the researcher with $100 for each of the bugs.

Advertisement. Scroll to continue reading.


Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.