CVE-2022-24188 is a high-severity vulnerability affecting the Ourphoto App version 1.4.1, specifically targeting the /device/signin endpoint used by picture frame devices that support video calling functionality. The vulnerability arises because this endpoint discloses sensitive password information in clear text, including deviceVideoCallPassword and mqttPassword. These passwords are critical for authenticating video call sessions and MQTT messaging, respectively. The root cause includes a lack of session management and the presence of insecure direct object references (IDOR), which allow an attacker to retrieve password information for devices belonging to other users. This means that an unauthenticated remote attacker can enumerate or guess device identifiers and obtain clear-text passwords without any user interaction or privileges. The vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information), indicating improper handling and exposure of sensitive credentials. Exploiting this flaw could enable attackers to hijack video call sessions, impersonate users, or manipulate device communications via MQTT, potentially leading to privacy breaches and unauthorized access to device functionality. Although no known exploits are currently reported in the wild, the vulnerability's network accessibility and lack of authentication requirements make it a significant risk. The CVSS v3.1 base score of 7.5 reflects its high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is primarily on confidentiality (C:H), with no direct impact on integrity or availability.

For European organizations, especially those involved in consumer electronics, smart home devices, or IoT ecosystems, this vulnerability poses a substantial privacy and security risk. The exposure of clear-text passwords can lead to unauthorized access to video call features on picture frame devices, potentially allowing attackers to eavesdrop on private communications or impersonate legitimate users. This could result in breaches of personal data and violate GDPR regulations concerning data protection and privacy. Moreover, the MQTT password disclosure could enable attackers to manipulate device behavior or inject malicious commands, potentially disrupting device operations or enabling lateral movement within home or corporate networks. Organizations deploying these devices in sensitive environments, such as healthcare, education, or corporate offices, may face reputational damage, regulatory penalties, and loss of customer trust if exploited. The lack of session management and IDOR issues also indicate broader architectural weaknesses that could be exploited for further attacks.

1. Immediate mitigation should include disabling remote access to the /device/signin endpoint until a patch is available. 2. Implement strict access controls and authentication mechanisms on all device management endpoints to prevent unauthorized data disclosure. 3. Introduce session management to ensure that users can only access their own device information, eliminating IDOR vulnerabilities. 4. Encrypt sensitive password data both in transit (using TLS) and at rest, and avoid returning passwords in API responses. 5. Rotate all exposed passwords and credentials associated with affected devices to invalidate any compromised secrets. 6. Monitor network traffic for unusual MQTT activity that could indicate exploitation attempts. 7. Engage with the device vendor or manufacturer to request a security patch or firmware update addressing these issues. 8. Educate users about the risks of using vulnerable devices and recommend firmware updates or device replacement if patches are unavailable. 9. For organizations, segment IoT devices on separate network zones to limit potential lateral movement if compromised.