A hard-coded credentials vulnerability in Guardzilla IoT video cameras could grant a moderately skilled attacker unlimited access to all S3 buckets provisioned for the account.

The vulnerability (CVE-2018-5560) was discovered during the 0DAYALLDAY Research Event on Sept. 29, 2018 and was publicly disclosed on Dec. 27, 2018 after researchers disclosed the issue to Rapid7 for coordinated disclosure and to CERT. The vendor has yet to respond to any communication from Rapid7 or CERT, according to security release.

The vulnerability is in the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware and while researchers noted that user data wasn’t accessed during testing, the embedded S3 credentials could easily be used to view and download any stored file/video in the associated buckets.

The  CVSSv3 has base score of 8.6 and to mitigate exploitation and prevent exposure, researchers recommend users review the source code of the various resources and services to verify that data isn’t being passed to malicious third parties, limit access policy of associated embedded S3 credentials, and audit all third-party libraries for vulnerabilities and update them where necessary.