CVE-2023-24080

Vulnerability

The Chamberlain myQ iOS application version 5.222.0.32277 contains a missing rate limit on the password reset functionality. The POST /api/Account/EmailValidation endpoint accepts a 4-digit reset code (Code parameter) without any throttling, allowing an attacker to enumerate valid user accounts and brute-force the short code. A separate endpoint POST /api/Account/ForgotPassword can be used to verify the existence of an email address by checking the presence of a Location header containing a base64‑encoded email for non‑existent accounts [1].

Exploitation

An attacker needs only the target user’s email address. The attacker first calls the ForgotPassword endpoint to confirm the account exists. Then, while the victim receives a legitimate 4‑digit code via email, the attacker submits thousands of guesses to EmailValidation until a 302 response indicates success (the correct code) [1]. No rate limiting or CAPTCHA is enforced, and the attack is fully automatable.

Impact

Successful brute‑force of the reset code allows the attacker to change the victim’s password and take over the myQ account. This grants control over connected devices such as garage door openers, cameras, and smart locks, potentially enabling physical intrusion or surveillance [1].

Mitigation

Chamberlain deployed a server‑side fix on 20 January 2023, adding rate‑limiting or code complexity without requiring a client update. Users should ensure their app is updated to the latest version and enable two‑factor authentication if available. The CVE is not listed on CISA’s KEV [1].