CVE-2020-27199
published 2020-12-17CVE-2020-27199: The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple…
PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.88%
85.1th percentile
The Magic Home Pro application 1.5.1 for Android allows Authentication Bypass. The security control that the application currently has in place is a simple Username and Password authentication function. Using enumeration, an attacker is able to forge a User specific token without the need for correct password to gain access to the mobile application as that victim user.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| magic_home_pro_project | magic_home_pro | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
71230fa3
bytes↗
71240fa4
- →Flag JWT tokens with algorithm set to 'None' (alg: None) in the token header field of HTTP requests to magichue.net API endpoints — this is the core token-forging technique used in the bypass. ↗
- →Monitor POST requests to /app/shareDevice/ZG001 carrying a forged token header — this is the final stage of the attack used to take over a victim's device. ↗
- →Alert on authentication requests to magichue.net API that originate without a valid password field — the exploit authenticates with an empty or attacker-controlled credential to obtain a legitimate token used for enumeration. ↗
- ·The forged JWT uses hardcoded expiry/refresh/login timestamps (expireDate: 1618264850608, refreshDate: 1613080850608, loginDate: 1602712850608); attackers may update these values to extend token validity. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2020-12-17
Published