Vulnerability Note VU#719736
Fisher-Price Smart Toy platform allows some unauthenticated web API commands
The Fisher-Price Smart Toy does not perform proper authentication of some API commands, and it may also use a vulnerable version of Android.
The Fisher-Price Smart Toy bear is a new WiFi-connected Internet of Things (IoT) toy. The device utilizes network connectivity to provide more interactivity with children.
CWE-287: Improper Authentication - CVE-2015-8269
A remote attacker may be able to view or edit private information about the child and/or parent that registers the toy, and may take over ownership of the toy.
Fisher-Price has made changes to the platform to mitigate this issue. Concerned users should contact Mattel, Inc. / Fisher-Price for more information.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Mattel||Affected||06 Jan 2016||01 Feb 2016|
CVSS Metrics (Learn More)
Thanks to Mark Stanislav of Rapid7, Inc., for reporting these issues to us.
This document was written by Garret Wassermann.
- CVE IDs: CVE-2015-8269
- Date Public: 02 Feb 2016
- Date First Published: 02 Feb 2016
- Date Last Updated: 02 Feb 2016
- Document Revision: 32
If you have feedback, comments, or additional information about this vulnerability, please send us email.