Circle with Disney Weak Authentication Vulnerability(CVE-2017-2864)

ID SSV:96817
Type seebug
Reporter Root
Modified 2017-11-08T00:00:00



An exploitable vulnerability exists in the generation of authentication token functionality of Circle with Disney. Specially crafted network packets can cause a valid authentication token to be returned to the attacker resulting in authentication bypass. An attacker can send a series of packets to trigger this vulnerability.

Tested Versions

Circle with Disney

Product URLs

CVSSv3 Score

9.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


CWE-639 - Authorization Bypass Through User-Controlled Key


Circle with Disney is a network device used to monitor internet use of children on a given network.

When making any requests to the Circle, an authenticated token must be provided. To request a token, a client specifies an appid, a unique string used to identify the client, as well as a hash, a SHA1 hash to verify the client should have access to the device. One secret piece of information is a 4 digit pin. The hash is calculated by the following: hash = SHA1(appid + pin)

The client provides both the appid and hash. Because the key space for the pin is only 10000, an attacker can easily brute force this pin to retrieve an authentication token. With the authentication token in hand, an attacker can make available API calls.


  • 2017-07-13 - Vendor Disclosure
  • 2017-10-31 - Public Release


Discovered by Cory Duplantis, Yves Younan, Marcin 'Icewall' Noga, Claudio Bozzato, Lilith Wyatt <(^_^)>, Aleksandar Nikolic, and Richard Johnson of Cisco Talos.