Cybersecurity researcher Eaton Zveare discovered that Jacuzzi’s smart hot tubs exposed owner data, leaving it vulnerable to malicious actors accessing the information.
Zveare was the first to document the issue on his website, explaining that when he first tried to set up his account on the site linked to the smart hot tub app.
He was presented with an unauthorised access error message when he tried to sign in with the credentials he had set through the app.
“Right before that message appeared, I saw a header and table briefly flash on my screen. Blink, and you’d miss it. I had to use a screen recorder to capture it,” Zveare said.
“I was surprised to discover it was an admin panel populated with user data.”
A quick look at the data revealed that it contained information about owners of several smart hot tub brands.
He found that the site checks if the user is an admin, and if they aren’t, they are redirected to the unauthorised error message.
Zveare determined that he may be able to block the unauthorised message “if the HTTP response could be intercepted to add in the missing Admin role”.
“I used Fiddler to modify the HTTP response accordingly, and I was finally able to access the admin panel in full,” Zveare said.
This gave the cybersecurity researcher unrestricted access to the admin panel, where he could view owner names and email addresses and even remove their ownership data entirely.
Zveare found a second admin panel while reviewing the Android app APK, where he found product, dealer, registered phone, and app log data.
After sending multiple emails to Jacuzzi without response, the admin panels were quietly secured after being vulnerable for months.