XSS Vulnerability discovered in video camera monitoring web service

Avira Protection Labs, 3 weeks ago 2 min read

Only a short while after finding a vulnerability in the Cacagoo IP camera, Avira IoT researchers have identified a serious cross-site scripting (XSS) vulnerability in Eyeplusiot.com, a home monitoring video camera website. The XSS vulnerability allows cyber-criminals to remotely access user audio/video recording by injecting malicious code in the Eyeplusiot.com website.

Identifying the XSS vulnerability

To perform a comprehensive security assessment, we looked into Eyeplusiot.com and tested these areas:

  • File disclosure
  • Database Injection
  • Cross site scripting (XSS)
  • Command Execution Detection
  • CRLF Injection

We identified an XSS vulnerability injection in a query string, as shown below:

To reproduce the XSS vulnerability in the website, we added querystring to the URL:

https://www.eyeplusiot.com/login?%27%22–%3E%3C%2Fstyle%3E%3C%2Fscript%3E%3Cscript%3Ealert%28%27VULNERABLE%27%29%3C%2Fscript%3E

The site decodes the URL parameter and pops up the javascript alert box showing VULNERABLE”.

In this way, an attacker can use specially crafted URL parameters to infect Eyeplusiot script that executes arbitrary JavaScript code in the browser and compromise the website.

Implications

Attackers often look to compromise websites and devices used in monitoring audio/video recording. In this case they exploit  a poorly secured website that connects to many brands of home IoT camera. Having identified a vulnerability, they look  for leverage  through multiple malicious activities such as, spying on users, installing malware, personal and financial data theft.

Conclusion

Our research demonstrates an XSS vulnerability that can be exploited by attackers. It is important to fix this issue to improve the security. Here are some recommendations from the Avira IoT research team:

XSS is a client side code injection attack that executes malicious script in a victim’s web browser or application. To prevent this, the application code should not output data received as an input without checking for malicious code. Any attack where the user input is received back to the webpage requires the data to be sanitized before output. Special characters like “<>” or “&” need to be removed so that they are not rendered by the browser.

Unsafe services compromise user safety: It does not matter whether the service is a website or a camera. Avira’s SafeThings IoT solution and anti-malware technologies enable the identification of domains and URLs that contain malicious or potentially malicious content.

The lack of sufficient cybersecurity implementations in IoT devices is a major problem, not only for the IP surveillance industry but for all IoT-based businesses. Learn more about creating a secure IoT environment for customers.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.
XSS Vulnerability discovered in video camera monitoring web service

Avira Protection Labs

Protection Lab is the heart of Avira’s threat detection and protection unit. The researchers at work in the Labs are some of the most qualified and skilled anti-malware researchers in the security industry. They conduct highly advance research to provide the best detection and protection to nearly a billion people world-wide.

You might like

Research

The evolution of Mirai into HolyMirai

The evolution of Mirai into HolyMirai

We present a study of the core similarities, differences, and evolution of the original Mirai and its new variant, HolyMirai.

5 months ago 6 min read
Research

Q4 2019 Malware Summary Report

Q4 2019 Malware Summary Report

Avira’s quarterly malware report tracks the major changes in the different types of malware and exploits seen in the last quarter.

3 months ago 3 min read