The vulnerability existed in Jacuzzi Brand LLC’s SmartTub app web interface that could reveal users’ private data to remote malicious attackers.

Researchers have identified vulnerabilities in Jacuzzi Brand LLC’s SmartTub app web interface that can reveal private data to attackers.

Security researcher and ethical hacker Eaton Zveare (EatonWorks) has identified a security flaw in the SmartTub feature of the app used in the hot tubs manufactured by the world-renowned Jacuzzi Brand.

The flaw exists in the app’s web interface, and as per the researcher, it allows a threat actor to view and abuse the personal data of hot tub users. The issue has been patched now, but Zveare claims he wasn’t notified about the fixes. Moreover, he stated that Jacuzzi didn’t reply to his emails.

About the SmartTub App

SmartTub is a Jacuzzi app available for iOS and Android systems. It has a SmartTub feature that users can use to connect to the tub via a module remotely and receive status updates or accepts users’ commands for various tasks. Such as, it can automatically set the water temperature, turn on lights and water jet, etc. It isn’t clear whether the vulnerability impacted these functions.

Flaws in Smart Jacuzzi App Could Be Exploited To Extract Users' Data

Attack Scenario Explained

According to a blog post, Zveare first accessed the Smarttub.io app’s admin panel using the wrong credentials, which were initially not accepted. He was then redirected to a display page where he could view data from multiple Jacuzzi brands in the US and elsewhere.

“Right before that message appeared, I saw a header and table briefly flash on my screen. Blink and you’d miss it. I had to use a screen recorder to capture it. I was surprised to discover it was an admin panel populated with user data. Glancing at the data, there is information for multiple brands, and not just from the US.”

Eaton Zveare

Furthermore, the app’s single-page-application (SPA) JavaScript bundle showed that usernames and passwords were sent to a third-party verification platform Auth0. Using the Fiddler tool, Zveare modified the HTTP response to masquerade in the admin status and obtain full access to the panel and a vast trove of data.

Hence, the issue identified was a poorly secured admin console in the web interface that allowed bypassing admin credentials.

What was Data Exposed?

The researcher claims that the bug could have exposed users’ first and last names, email addresses, and other sensitive data if abused. This issue could have impacted users all over the world.

According to Zveare, he could view details of “every spa,” check its owner, and remove their ownership. Furthermore, he could view user accounts and edit them as well. However, he didn’t test it as he feared the changes would be saved.

The researcher informed Jacuzzi Brands in early December, and the issue was resolved on 4 June.

More IoT Vulnerability News