A series of vulnerabilities have been discovered in the popular Petlibro pet food vending ecosystem. In the worst-case scenario, these vulnerabilities allowed an attacker to log into someone else’s account, access pet data, and control connected devices, even modifying feeding schedules and camera operation.
The researcher who published the analysis says the company quickly fixed some of the issues, but the main flaw in the third-party account login mechanism remained active for over two months ” for compatibility reasons ” and was only deactivated after publication.
According to the author, the investigation began with an analysis of the Petlibro mobile app , used by owners of smart pet feeders, waterers, and other IoT devices. These devices are often installed in the home and used remotely, for example, to feed a cat or dog while traveling .
This is why any errors in authorization and access controls are particularly sensitive in this case: we’re not just talking about data, but about actual control over the device and the person’s life.
The researcher cites as his main discovery an authentication bypass in one of the “social” login scenarios. The problem, he describes, was that the server didn’t verify the validity of the OAuth token , but trusted the data sent by the client.
As a result, by knowing the public identifiers, it was possible to obtain a working session for someone else’s profile. The company claims to have added a new, more secure mechanism, but has retained the old and vulnerable path for ” legacy compatibility ,” pending the majority of users’ app updates.
The author then explains that the chain evolved towards privacy and hardware control. The API, he describes, contained methods that returned pet data via ID without verifying that the request had been made by the owner. This allowed for obtaining the pet’s profile: name, date of birth, weight, activity and appetite parameters , photo, and association with the owner. Using this same data, the researcher claims, it was possible to access device information (including technical identifiers) and therefore perform actions available to the owner: change settings, manually initiate feeding, manage schedules, and, for models equipped with a camera, access the video stream.
The author also highlights the risk of personal data leakage: some devices allow you to record voice messages that are played to a pet while it’s being fed . In his opinion, the identifiers in these recordings were predictable, and linking the recording to the device wasn’t secure enough, allowing access to other people’s audio files.
Another scenario he describes is the ability to add yourself as a “shared owner ” of someone else’s device through an insecure sharing method.
The story also involved a conflict over the “rules of the game” for the researcher. According to the author’s timeline, he reported the issues on November 5, 2025, received confirmation of acceptance and a $500 reward offer. Afterward, the company, after providing him with his payment information, sent him a confidentiality agreement and repeatedly asked him to sign it. The researcher claims he didn’t accept the confidentiality agreement in advance and refused to sign it , emphasizing that the unilateral “they sent the money, so I accepted” approach doesn’t work.
As of December 4, Petlibro reported that “most” of the vulnerabilities had been fixed and that the permission bypass had been ” fixed in the latest version of the app ,” but the vulnerable “outdated” app continued to function for several weeks.
For users, the conclusion is simple: if you use Petlibro (or any similar IoT device), you should update your app and firmware to the latest versions and pay more attention to social media logins and shared device access . For manufacturers, the case is another reminder that ” compatibility ” shouldn’t be an excuse to maintain dangerous features when it comes to authorization and remote control of home devices.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
