Security company finds another leak that gives access to data from children’s smartwatches
A security company has found another leak that gave attackers access to the data of tens of thousands of children’s smartwatches. It turned out to be possible to log into the web portal of a manufacturer of children’s watches as an admin.
By changing the value for ‘User(grade)’ from 1 to 0 in the post-request when logging in, users were given access to the admin environment of children’s smartwatch maker Gator, PenTestPartners reports. Subsequently, after a small change, it turned out to be possible to view the data of 35,000 smartwatches of children with 20,000 accounts. There was no check in the backend whether a user should have admin rights.
According to the security company, the same backend is used by several smartwatch makers. The maker of the smartwatches initially did not fix the leak, but closed the security company’s test account. In the second instance, a fix for the leak was released within a few days.
The app now makes contact with the server via a secure connection, something that was not OK before. Despite this, the security company is sticking to the previous advice not to buy a cheap smartwatch for children, because the security does not seem right across the board. It is not the first time that the backend appears to contain major vulnerabilities. The company previously found exploits in 2017.