- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Guys, I'll try to make this as simple as possible so everyone can understand why this should be a concern for those who care about security.
The problem: Anyone can access your camera snapshots if they have the URL, that means unauthenticated access to your data!
Scenario: You are browsing your Arlo cameras on a shopping/company/free/friends/whatever WIFI network. Lets suppose the network Admin/owner has SSL strip or any form of proxy/MITM device between you and the internet.
This case is very common in Corporate networks where your device trust an Intermediate Certificate authority. That is done to allow Firewalls/AV software to open your SSL tunnel and analyse your traffic.
So the exact moment when you open your ARLO mobile app it makes some calls:
- First it calls the authentication API - https://arlo.netgear.com/hmsweb/login/v2
- Second it calls de Device list API - https://arlo.netgear.com/hmsweb/users/devices
and after that it populates the thumbnails of your cameras with the last snapshot they took.
Once the APP calls the Device list API, it returns the URLS required to retrieve camera snapshots, but the problem is that anyone that possess the URL can access it from anywhere without being authenticated.
You can easly replicate this experiment doing the steps below:
Required Tools:
- Postman
- Basic knowledge of API/Calls
First step is authorizing yourself, like the mobile app do. To do so create a post call in Postman as demonstrated below:
URL: https://arlo.netgear.com/hmsweb/login/v2
Call type: POST
Headers: Content-Type:application/x-www-form-urlencoded
Body: {
Now do a get call to the device list url using the TOKEN value that you got after authenticating in the last step:
URL: https://arlo.netgear.com/hmsweb/users/devices
Type: GET
Headers: Authorization:INSERT_THE_VALUE_OF_TOKEN_FIELD_HERE
and you'll get a JSON, look for the ones where it says in the deviceType: camera. These devices are your cameras, you'll probably recognize them by the name you gave. At this point just copy the content of field presignedFullFrameSnapshotUrl and navigate to it on any browser and you'll get your camera snapshot. If you send it to a friend or anyone it will also work.
So that all being said I would like to hear from Netgear/Arlo on this topic. To me it feels very unsafe to leave access to these URLS without authentication. What was the thought process behind it ?
- Related Labels:
-
Troubleshooting
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should submit this on BugCrowd.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem is that it’s unsafe.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@vanzano wrote:
It’s not a bug. It was designed like that. It is working as intended.
The problem is that it’s unsafe.
Many security problems were "designed that way". This is a security problem. I'd report it and see if Arlo agrees with you that it is a problem and if so, you might get a small check for your troubles.
-
Apple HomeKit
1 -
Arlo Mobile App
383 -
Arlo Pro
27 -
Arlo Pro 2
1 -
Arlo Pro 3
2 -
Arlo Secure
1 -
Arlo Smart
92 -
Arlo Ultra
1 -
Arlo Web and Mobile Apps
6 -
Arlo Wire-Free
10 -
Before You Buy
1,191 -
Discovery
1 -
Features
211 -
Firmware
1 -
Firmware Release Notes
119 -
Hardware
2 -
IFTTT
1 -
IFTTT (If This Then That)
48 -
Installation
1,406 -
Installation & Upgrade
1 -
Online and Mobile Apps
1,266 -
Partner Integrations
1 -
Security
1 -
Service and Storage
563 -
Smart Subscription
1 -
SmartThings
39 -
Software & Apps
1 -
Troubleshooting
7,218 -
Videos
1
- « Previous
- Next »