The Guardzilla IoT-enabled home video surveillance system contains a shared Amazon S3 credential used for storing saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System can access each other’s saved home video.
This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.
This issue was discovered by Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6, and Chris, all of 0DayAllDay. This issue is being disclosed in accordance Rapid7’s vulnerability disclosure policy in conjunction with 0DayAllDay.
Details via Rapid7
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.