A security researcher has uncovered several vulnerabilities, including a critical issue that exposed sensitive information, on the website of home automation company Nest Labs.
Evan Ricafort, an expert based in the Philippines, reported his findings to Google, which acquired Nest Labs earlier this year for $3.2 billion in cash.
The most serious of the security holes identified by the researcher is a file upload vulnerability affecting the certified.nest.com subdomain. According to Ricafort, the flaw could have been leveraged to upload a shell that enabled access to the personal and financial details of Nest customers, including credentials, payment card information, and scanned copies of identification documents such as passports and ID cards.
In a video demonstration published last week on his personal blog, Ricafort showed that an attacker could upload arbitrary files by abusing a feature designed to allow members of the Nest Certified Program to upload reseller certificates. By uploading a shell to the website, he claims to have gained access to hundreds of records.
After being informed of the existence of the vulnerability, Google’s security team told Ricafort that the affected domain is run by a third-party vendor and informed him that the company could not authorize him to conduct tests on it. The issue is out of scope so it’s not eligible for a monetary reward, but Google has offered to list the researcher’s name in the company’s “hall of fame.”
“Although it’s a heartbreaking result for an arbitrary file upload vulnerability, I don’t have any choice but to respect their decision,” the expert said.
The security hole has been addressed by restricting access to the certified.nest.com domain. Visitors are now being redirected to pro.nest.com, a domain for those who want the become authorized to sell and install Nest products such as thermostats and smoke alarms.
On this Nest Pro website, Ricafort later identified two stored cross-site scripting (XSS) vulnerabilities. Google has determined that these issues are eligible for the company’s bug bounty program so it has rewarded the researcher with $100 for each of the bugs.