Due to a shared Amazon S3 credential, all users of a certain model of the Guardzilla All-In-One Video Security System can view each other's videos.
A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one another's saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the camera's firmware.
Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw today, 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response.
This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers report. Guardzilla's system uses a shared Amazon S3 credential for storing users' saved videos. When they investigated the access rights given to the embedded S3 credentials, researchers found they provide unlimited access to all S3 buckets provisioned for the account.
As a result, all people who use Guardzilla's system for home surveillance can view one another's video data in the cloud. Once the password is known, any unauthenticated person can access and download stored files and videos in buckets linked to the account.
Researchers only tested Model #GZ521W of the Guardzilla Security Video System and do not know whether other models are affected by the same bug, Rapid7 reports. Without a patch, users should ensure that the device's cloud-based data storage functions are turned off.
Read more details in Rapid7's blog here.
About the Author(s)
You May Also Like
Guarding the Cloud: Top 5 Cloud Security Hacks and How You Can Avoid Them
April 4, 2024Cybersecurity Strategies for Small and Med Sized Businesses
April 11, 2024Defending Against Today's Threat Landscape with MDR
April 18, 2024Securing Code in the Age of AI
April 24, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024Black Hat Asia - April 16-19 - Learn More
April 16, 2024