Vologue

**Name of the Vulnerable Software and Affected Versions** Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 version 2.3 **Description** An HTTP parameter pollution issue allows attackers to unbind the existing owner of the lock and bind themselves instead, leading to complete takeover of the lock. The necessary information, including the user ID, user name, and the lock's MAC address, can be obtained from APIs within the Android or iOS application. With only the MAC address of the lock, an attacker can transfer ownership of the lock from the current user to their own account, rendering the lock inaccessible to the current user. **Recommendations** For Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 version 2.3, as a temporary workaround, consider restricting access to the APIs that provide the user ID, user name, and MAC address to minimize the risk of exploitation. Avoid using the `user id` and `user name` variables in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.