CVE-2023-24080: Chamberlain myQ Account Takeover – Brackish Security

• 22 January, 2023
• No Comments

Introduction

A Brackish Security researcher recently uncovered a vulnerability affecting the myQ iOS application that allows an attacker to take over arbitrary user accounts. This issue was discovered in iOS application version 5.222.0.32277. No other versions were tested, but it is possible that multiple versions and platforms use the same APIs with vulnerable functionality. This issue affects millions of accounts and give attackers access to garage door openers, cameras, locks, and other devices that are controlled via the myQ application. The myQ iOS application has 1.2M ratings on the Apple App Store and is currently #13 in the free application charts.

A door, but we have the key

A Simple Vulnerability

The attacker needs prior knowledge of a victim’s email account, or as Brackish discovered, an attacker could make repeated requests to the following endpoint to determine if an account is present.

POST /api/Account/ForgotPassword

If the account does not exist, a lengthy Location response header containing the following will be returned.

email=amltQGJyYWNraXNoLmlv

This is the base 64 encoded version of [email protected] – an account that does not exist. If the account exists, this parameter will not be present in the Location response header.

Once a victim’s email is discovered, the account takeover is simple. At the heart of it is the lack of rate limiting on the following endpoint

POST /api/Account/EmailValidation

Where the body of this request contains (amongst other parameters) the reset code that is emailed to the victim.

Code=5308

302 response when reset code is hit after thousands of requests

The reset code is only four digits in length, and there is no rate limiting on this endpoint. An attacker is free to brute force this code and reset the victim’s password. This issue was reported to Chamberlain on 1/10/23.

Fixed

As of 1/20/23 (possibly earlier), a fix has been implemented via rate limiting on the server or in middleware. The application itself has not been updated. The fact that the fix was implemented in this fashion lends more credence to the speculation that every myQ account was affected by this vulnerability.

Rate limit response as seen in mobile application

Conclusion

Security of IoT devices is essential. As evidenced by the simplicity of this exploit, these applications and devices sometimes sit without eyes on them for long periods of time.

Also, kudos to the people at Chamberlain for responding and fixing the issue so quickly. It’s hard to stress enough how often we attempt to report highly impactful vulnerabilities and are completely ignored. I’m also a big fan of their myQ devices in general, so check them out!

Brackish Security recommends penetration testing and source code review of all software and IoT devices. Additionally, it is recommended that every company establish a Vulnerability Disclosure Program (VDP) or Bug Bounty Program (BBP). If you need a penetration test, or some assistance in establishing a VPD or BBP, please reach out to Brackish and Help Make the Bad Guys Salty!