Share: Email | Twitter

ID

VDE-2022-052

Published

2022-11-21 10:00 (CET)

Last update

2022-11-22 14:44 (CET)

Vendor(s)

Miele & Cie KG

Product(s)

Article No┬░ Product Name Affected Version(s)
appWash by Miele = All Versions

Summary

Up until October 5th, 2022 the ease2pay API used by Miele's "AppWash" MobileApp was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.


Last Update:

Dec. 13, 2022, 10:34 a.m.

Weakness

Authorization Bypass Through User-Controlled Key  (CWE-639) 

Summary

An API Endpoint used by Miele's "AppWash" MobileApp in all versions was vulnerable to an authorization bypass. A low privileged, remote attacker would have been able to gain read and partial write access to other users data by modifying a small part of a HTTP request sent to the API. Reading or changing the password of another user was not possible, thus no impact to Availability.


Impact

The evaluation of the log files by ease2pay did not show any sign of actual exploitation of the vulnerability, extraction of data or misuse.

Solution

The ease2pay cloud service used by appWash was fixed on 05.10.2022. The tokens used for session authentication were changed to a secure state of the art solution. All affected tokens have been invalidated and new tokens were issued.

Therefore, no actions have to be taken by the users.

Reported by

CERT@VDE coordinated with Miele.

Miele would like to thank Bishoy Roufael for responsibly disclosing this vulnerability.