<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Garminconnect (&lt;= 0.3.4) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/garminconnect--0.3.4/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 17:34:40 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/garminconnect--0.3.4/feed.xml" rel="self" type="application/rss+xml"/><item><title>Insecure Permission Assignment for Garmin OAuth Token Store</title><link>https://feed.craftedsignal.io/briefs/2026-07-insecure-garminconnect-permissions/</link><pubDate>Wed, 15 Jul 2026 17:34:40 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-insecure-garminconnect-permissions/</guid><description>The `garminconnect` Python library versions 0.3.4 and earlier insecurely assigned world-readable file permissions to the `garmin_tokens.json` OAuth token store, allowing local attackers on multi-user systems to steal refresh tokens and gain persistent, unauthorized access to victims' Garmin Connect accounts.</description><content:encoded><![CDATA[<p>The <code>garminconnect</code> Python library, specifically versions 0.3.4 and older, contained a critical vulnerability (CVE-2026-54447) related to insecure file permission assignment. When the library created or updated the <code>garmin_tokens.json</code> file, which stores sensitive Garmin OAuth refresh tokens, it failed to explicitly set restrictive file permissions. Under common Linux and macOS <code>umask</code> settings, this resulted in the <code>garmin_tokens.json</code> file being world-readable (0o644). This flaw allowed any unprivileged local user on a multi-user system to read the file, extract the refresh token, and consequently gain persistent, unauthorized access to the victim's Garmin Connect account. This issue was identified and reported by EQSTLab. The vulnerability impacts users who have configured the <code>garminconnect</code> library to interact with their Garmin accounts on shared host environments.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>A user installs and configures the <code>garminconnect</code> library version 0.3.4 or earlier on a multi-user Linux or macOS system and authenticates with their Garmin Connect account.</li>
<li>The <code>garminconnect</code> library calls <code>Client.dump()</code>, persisting OAuth tokens, including the <code>di_refresh_token</code> and <code>di_client_id</code>, to the file <code>~/.garminconnect/garmin_tokens.json</code>.</li>
<li>Due to the <code>Client.dump()</code> function not specifying a <code>mode</code> argument for file creation, and the system operating under a default umask (e.g., <code>022</code>), the <code>garmin_tokens.json</code> file is created with world-readable permissions (0o644).</li>
<li>A separate, unprivileged local user on the same shared system discovers and reads the <code>~/.garminconnect/garmin_tokens.json</code> file, which contains the sensitive OAuth refresh token.</li>
<li>The attacker extracts the <code>di_refresh_token</code> and <code>di_client_id</code> from the world-readable JSON file.</li>
<li>The attacker then uses the stolen <code>di_refresh_token</code> and <code>di_client_id</code> to exchange for fresh access tokens from Garmin's OAuth endpoint, bypassing the need for re-authentication.</li>
<li>The attacker uses these valid access tokens to gain unauthorized, persistent access to the victim's Garmin Connect account, enabling access to health data, activity history, and device management features.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54447 leads to local credential theft and unauthorized access to victims' Garmin Connect accounts. On multi-user Linux or macOS hosts, any local, unprivileged user can read the <code>garmin_tokens.json</code> file, which contains the refresh token. This allows the attacker to obtain persistent access to the victim's Garmin Connect data, including sensitive health and fitness information, activity history, and device management capabilities, until the stolen refresh token is explicitly revoked. The primary risk is unauthorized access to personal data and potential account hijacking.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Upgrade garminconnect</strong>: Immediately upgrade the <code>garminconnect</code> library to version 0.3.5 or later to mitigate CVE-2026-54447 by running <code>pip install --upgrade garminconnect</code>.</li>
<li><strong>Remediate existing files</strong>: Manually set secure permissions for the token store by executing <code>chmod 700 ~/.garminconnect</code> and <code>chmod 600 ~/.garminconnect/garmin_tokens.json</code> to protect existing <code>garmin_tokens.json</code> files.</li>
<li><strong>Rotate compromised tokens</strong>: If the <code>garmin_tokens.json</code> file was exposed on a shared host, treat the refresh token as compromised. Delete the existing token store (e.g., <code>rm ~/.garminconnect/garmin_tokens.json</code>) and log in again using the <code>garminconnect</code> library to mint a fresh, securely stored token.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>insecure-permissions</category><category>credential-theft</category><category>local-privilege-escalation</category><category>vulnerability</category></item></channel></rss>