A vulnerability in the Guardzilla All-In-One Video Security System, an IoT-enabled home video surveillance system, lets all users view one another's saved surveillance footage due to the design and implementation of Amazon S3 credentials inside the camera's firmware.
Security researchers found the bug (CVE-2018-5560) during an event held by 0DayAllDay and reported it to Rapid7 for coordinated disclosure. Rapid7 published the flaw today, 60 days after it first attempted to contact the vendor. Multiple coordination efforts received no response.
This vulnerability is an issue of CWE-798: Use of Hard-coded Credentials, 0DayAllDay researchers report. Guardzilla's system uses a shared Amazon S3 credential for storing users' saved videos. When they investigated the access rights given to the embedded S3 credentials, researchers found they provide unlimited access to all S3 buckets provisioned for the account.
As a result, all people who use Guardzilla's system for home surveillance can view one another's video data in the cloud. Once the password is known, any unauthenticated person can access and download stored files and videos in buckets linked to the account.
Researchers only tested Model #GZ521W of the Guardzilla Security Video System and do not know whether other models are affected by the same bug, Rapid7 reports. Without a patch, users should ensure that the device's cloud-based data storage functions are turned off.
Read more details in Rapid7's blog here.