Incorrect authorization vulnerability in HTTP POST method in Govee Home application on Android and iOS allows remote attacker to control devices owned by other users via changing "device", "sku" and "type" fields' values. This issue affects Govee Home applications on Android and iOS in versions before 5.9.
The Govee Home application does not properly verify whether the user sending an HTTP POST request is the owner of the specified device. An attacker can modify the values of 'device', 'sku', and 'type' fields in the request body, providing identifiers of devices belonging to other users. This makes it possible to issue commands to others' devices without any authorization and without requiring victim interaction.
An attacker can gain full control over smart home devices of other users (e.g., lighting, home appliances), affecting their availability and operational integrity. The attack is possible remotely, without authentication, and without the device owner's knowledge.
Update the Govee Home application to version 5.9 or later, available in Google Play Store and Apple App Store. Until the update is applied, it is recommended to limit the use of the application in public environments.
Govee Home application on Android and iOS in versions earlier than 5.9.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H