Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)

From blog.rapid7.com

Executive summary

The Guardzilla IoT-enabled home video surveillance system contains a shared Amazon S3 credential used for storing saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System can access each other’s saved home video.

This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.

Product description

The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. More information about the product can be found at the vendor’s website. Only the GZ501W model was tested. It is not known whether other models are affected.

Read more…