Recently I bought an Ecoflow Wave 2 air conditioner. Since Ecoflow does not provide an API for the device, I checked the traffic of the Ecoflow app more closely to build an integration for my Home Assistant myself. To my surprise, I came across credentials to Ecoflow’s Alibaba Object Storage service. With these credentials, I could not only view my own files, but also company internals and even other users’ user data were visible.
How did I get the access data?
Using the app Proxyman, I listened to the traffic of the Ecoflow app while controlling the device, and in the subsequent analysis I noticed two specific HTTP responses that pointed to an Alibaba Object Storage Service (OSS).
Here is the connection data to the Alibaba Object Storage Service:
And the appropriate access data right behind:
This is nothing unusual. Usually, these credentials lead to a personal user area where you can upload your profile picture or where the app can write its log files.
Out of curiosity, I logged into Alibaba’s OSS client browser with the credentials and ended up not in my user area as expected, but in a large folder overview.
Not stopping there, I was able to navigate up one level and had the overview of many many buckets in front of me:
It didn’t just stay with read permissions in all buckets. Write permissions were also available and I could navigate freely in all buckets.
Am I affected myself?
At least I wanted to see my own profile picture and navigated to the path that is also called in my app when I opened my profile. Here is my profile picture from the app:
Renaming the file from .image to .jpg I see a profile picture.
Configuration errors happen, but this has to be fixed quickly. There is company data – and also user data – lying around openly because the rights do not end in the folder where they should end.
In the IT world, there is an established standard, RFC 9116, to be able to report security issues. Unfortunately, Ecoflow did not implement this standard, which made it very difficult to find the right contact. I contacted all the support email addresses I could find, both for the EU, USA and China. Additionally, I described my problem in the website chat support without going into details, asking that the IT security department contact me.
“They would get back to me”.
There was no response from Ecoflow at all. No one felt responsible, and more days passed without any feedback.
Finally, a single standard ticket was created, saying that they would get back to us within 1-2 days. But even after this promised deadline had passed, there was no response.
I was beginning to despair. The problem was supposed to be fixed quickly, but by now a week had passed without a single response from Ecoflow.
Some people had listed Ecoflow as an employer on LinkedIn, but I couldn’t contact them directly without a LinkedIn Premium membership. So I decided to purchase a LinkedIn Premium membership.
I started writing to all sorts of people on LinkedIn who were a thematic fit in the technical direction.
Finally, I received feedback from a single person who referred me to their corporate email. There, I sent a screenshot as proof to raise an alarm with the people in question and asked to be contacted by the IT department.
Still no feedback from Ecoflow
Again many days passed and in a free minute I try to log in to the OSS again. Lo and behold. I can no longer log in:
So someone has reacted and adjusted the rights.
Do you even communicate?
I wait for reaction from Ecoflow but nothing comes. I write to my contact person at Ecoflow via mail again:
“…Thanks for fixing this, can you please connect me with the folks in IT?”
In reply comes a short paragraph
“Thank you for the note, your feedback has been instrumental in resolving the issue. Have a great weekend.”
Ok, wait…wait…wait…. a $1Bn company feeds someone who spends many hours on their problems, and performs a responsible disclosure procedure with “thanks, have a nice weekend”?
I ask if there is a bug bounty program from Ecoflow, where I can at least earn a reputation as a security researcher.
Platforms such as HackerOne are there precisely for such security topics, so that you can build up a reputation as a security researcher. Companies can officially report security researchers there if they report cases in the responsible disclosure procedure.
As a final response, I get the offer of $50 and a 30% voucher for the online store. The impact would have been minimal and they see the problem as a low-risk scenario.
This is not the kind of recognition I was hoping for and am now finally letting it go and am incredibly frustrated.
In my case with Segway, where I discovered a similar security problem, the communication was so much better and more trusting. I dealt directly with the IT department there. The communication was very open and they were incredibly grateful for the report. I was also kept up to date throughout the entire process. Despite a few teething problems, it was ultimately a good experience.
Ecoflow, on the other hand, will not get any more security vulnerabilities reported by me.