Flaw in Guardzilla Security System Exposes User Video Footage

A significant vulnerability present in Guardzilla’s All-In-One Video Security System has been disclosed following its discovery during a 0DAYALLDAY research event. The vulnerability, CVE-2018-5560, allows any Guardzilla user to access another user’s stored video. A hard-coded credential provides any user access to a shared Amazon S3 instance in which the user can access the free-video-storage, free-video-storage-persist, premium-video-storage, and premium-video-storage-persist buckets. Guardzilla has been contacted about the vulnerability but, at the time of writing, has yet to issue a response or patch. In the meantime, the NJCCIC advises users who want to protect their accounts to disable cloud-based storage options on their device or contact Guardzilla for more guidance. More technical information on the vulnerability can be found in 0DAYALLDAY’s blog post.