CVE-2023-3612
📋 TL;DR
The Govee Home app has an unprotected WebView component that allows any app on the device to open it with arbitrary URLs. This enables attackers to execute JavaScript in the WebView context or display phishing content to steal sensitive user data. All users of the vulnerable Govee Home app versions are affected.
💻 Affected Systems
- Govee Home mobile application
📦 What is this software?
Home by Govee
Home by Govee
⚠️ Risk & Real-World Impact
Worst Case
Attackers could execute arbitrary JavaScript in the WebView context, potentially accessing device data, stealing credentials through phishing, or performing actions within the Govee Home app as the user.
Likely Case
Attackers would display phishing pages to steal user credentials or personal information, potentially gaining access to the user's Govee account and connected smart home devices.
If Mitigated
With proper WebView security controls, the vulnerability would be prevented, limiting WebView access to trusted sources only.
🎯 Exploit Status
Exploitation requires the attacker to have a malicious app installed on the same device or to trick the user into interacting with malicious content. The vulnerability is straightforward to exploit once the attack vector is established.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided references, but updates should be available through app stores
Vendor Advisory: https://www.sk-cert.sk/threat/sk-cert-bezpecnostne-varovanie-v20230811-10
Restart Required: Yes
Instructions:
1. Open your device's app store (Google Play Store or Apple App Store). 2. Search for 'Govee Home'. 3. If an update is available, tap 'Update'. 4. After updating, restart the Govee Home app.
🔧 Temporary Workarounds
Disable app installation from unknown sources
allPrevents installation of malicious apps that could exploit this vulnerability
Review app permissions
allCheck which apps have permission to open other apps and revoke unnecessary permissions
🧯 If You Can't Patch
- Uninstall the Govee Home app until a patched version is available
- Use the Govee Home app only on a dedicated device with no other apps installed
🔍 How to Verify
Check if Vulnerable:
Check your Govee Home app version in the app settings or app store listing. If it's not the latest version available, you may be vulnerable.Check Version:
No command available - check within the Govee Home app settings or your device's app storeVerify Fix Applied:
After updating, verify the app version matches the latest version in the app store. Test that the WebView component only opens trusted URLs.📡 Detection & Monitoring
Log Indicators:
- Unusual WebView activity in app logs
- Unexpected URL launches from other apps
Network Indicators:
- Connections to suspicious domains from the Govee Home app
- Unexpected JavaScript execution in app traffic
SIEM Query:
Not applicable for mobile app vulnerabilities in typical enterprise SIEM environments