The only risk to availability was the low privileged attacker being able to change the password of another user, thus resulting in a change of the "role" of the other user on the system. The API Endpoint was not publicly accessible, thus no data had been stored on a public server. The Miele's "AppWash" MobileApp was published on Google Play and the App Store. A total of 1.6M active installs, 6.9K ratings, and 6.9K reviews were received. Miele's "AppWash" MobileApp was also published on Facebook and the App Store. A total of 6.9K active installs, 1.4K ratings, and 1.4K reviews were received. Thus, the "AppWash" MobileApp was used by many people around the globe.
How a Pivoting Attack Is Successful
A pivoting attack is successful when it allows the potential attacker to change his or her identity, in order to carry out a different set of actions.
Let’s say an attacker wanted to gain control of Miele's "AppWash" MobileApp, which was published on Facebook and the App Store. The attacker would first create a new account on Facebook and make it public. They would then install the "AppWash" MobileApp on their personal device and use this device to connect to the database of the "AppWash" MobileApp. Using this access, they are able to view other users' data without any authorization required.
If Miele had been using a password hashing algorithm that was not strong enough, such as MD5, then if an attacker gained access by changing their own password, they would have been able to change their role (e.g., from administrator to user). This would allow them modify any user's data in this database and add additional users for their own benefit.
Timeline
Published on: 11/21/2022 10:15:00 UTC