🐱 New Blog Post: Petlibro Smart Pet Feeder Vulnerabilities (Partially Fixed, $500)

Found critical vulns in Petlibro - one of the biggest smart pet feeder companies:

• Auth bypass via broken OAuth - just need Google ID (public info via Google APIs) to login as anyone
• Access any pet's data, devices, serial numbers, MAC addresses
• Hijack any device - change feeding schedules, access cameras
• Access private audio recordings (mealtime messages to pets)
• Add yourself as shared owner to any device

The worst part? They "fixed" the auth bypass by making a new endpoint... but left the old vulnerable one active for "legacy compatibility." Two months later, still working.

Also tried to get me to sign an NDA AFTER paying the bounty. That's not how contracts work.

Full writeup: https://bobdahacker.com/blog/petlibro

#InfoSec #BugBounty #ResponsibleDisclosure #IoT #Petlibro #Security #Privacy #CyberSecurity #SmartHome #OAuth

With today being Christmas, here is your annual reminder to be nice to newbies in your spaces.

There is going to be a very sudden influx of people who are just getting into the spaces you occupy because they got a gift that acts as their gateway into that activity. Maybe you're into photography and someone just bought them their first ever camera body, or you're into music and someone bought them their first guitar, or you're an audiophile and someone bought them their first really nice headphones, or you're big into TTRPGs and someone just bought them their first ever core rulebook.

Whatever the specific activity and gift, these people are going to have no idea what they're doing, they're going to ask a lot of obvious questions, they're going to make a lot of rookie mistakes, and there's going to be a lot of them.

I cannot stress this enough: BE NICE TO THEM.

Few things will ruin someone's enjoyment of something faster than trying to join its community and getting such a rude first impression that their conclusion is "People who like this are kind of assholes. I don't think I want to do this if it's going to involve getting yelled at." Craigslist and eBay and FB Marketplace will be filled with mint condition gifts being resold to attest to this in the coming months.

You were there at the very first step once. Be the person for them that you wish you had back then. (Or if you were lucky enough, the person you did have who fostered your love of it!) Make this something they'll love just as much as you do, not something they'll want to sell and get away from as soon as possible.

Be the reason this Christmas starts a lifelong passion for them, not the reason they decide to abandon something that they would've loved because people made them feel bad for needing a helping hand.

@sillyCoelophysis
“Are these terms useful?” → Yes, I think they are. Naming patterns is useful. Identifying commonly shared characteristics is useful. Creating anchor points for sharing experiences, strategies, and new understanding is useful. We can use these terms without being reductive, or assuming any one of them completely describes a person.

It’s useful to have a word like “autistic” the same way it’s useful to have a word like “yellow,” even though yellow is a range of colors and there is no well-defined bright line where yellow becomes orange.

It’s specifically “neurotypical” as a category of person I’m arguing against. “Orange” is a color, but “none of the above” is…not.

Trans rights are human rights.

Boost if you agree.

Block me if you disagree.