Only a short while after finding a vulnerability in the Cacagoo IP camera, Avira IoT researchers have identified a serious cross-site scripting (XSS) vulnerability in Eyeplusiot.com, a home monitoring video camera website. The XSS vulnerability allows cyber-criminals to remotely access user audio/video recording by injecting malicious code in the Eyeplusiot.com website.
Identifying the XSS vulnerability
To perform a comprehensive security assessment, we looked into Eyeplusiot.com and tested these areas:
- File disclosure
- Database Injection
- Cross site scripting (XSS)
- Command Execution Detection
- CRLF Injection
We identified an XSS vulnerability injection in a query string, as shown below:
To reproduce the XSS vulnerability in the website, we added querystring to the URL:
https://www.eyeplusiot.com/login?%27%22–%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27VULNERABLE%27%29%3C%2Fscript%3E
The site decodes the URL parameter and pops up the javascript alert box showing “VULNERABLE”.
In this way, an attacker can use specially crafted URL parameters to infect Eyeplusiot script that executes arbitrary JavaScript code in the browser and compromise the website.
Implications
Attackers often look to compromise websites and devices used in monitoring audio/video recording. In this case they exploit a poorly secured website that connects to many brands of home IoT camera. Having identified a vulnerability, they look for leverage through multiple malicious activities such as, spying on users, installing malware, personal and financial data theft.
Conclusion
Our research demonstrates an XSS vulnerability that can be exploited by attackers. It is important to fix this issue to improve the security. Here are some recommendations from the Avira IoT research team:
XSS is a client side code injection attack that executes malicious script in a victim’s web browser or application. To prevent this, the application code should not output data received as an input without checking for malicious code. Any attack where the user input is received back to the webpage requires the data to be sanitized before output. Special characters like “<>” or “&” need to be removed so that they are not rendered by the browser.
Unsafe services compromise user safety: It does not matter whether the service is a website or a camera. Avira’s SafeThings IoT solution and anti-malware technologies enable the identification of domains and URLs that contain malicious or potentially malicious content.
The lack of sufficient cybersecurity implementations in IoT devices is a major problem, not only for the IP surveillance industry but for all IoT-based businesses. Learn more about creating a secure IoT environment for customers.
Want to comment on this post?
We encourage you to share your thoughts on your favorite social platform.