[Suggested description]
An issue was discovered in WiZ Colors A60 1.14.0.
API credentials are locally logged.

------------------------------------------

[Additional Information]
An issue was discovered in WiZ Colors A60 1.14.0.
Applications use general logs to reflect all kind of information to the
terminal. The WIZ application does also use logs, however instead of
only generic information also API credentials are submitted to the
android log. The information that is reflected in the logging can be
used to perform authorised requests in behalf of the user and therefore
controlling the lights just as the user can do using the application.
In order to obtain the information access to the device logs is
required. This can most easily be done via local access and also by
other apps on rooted devices.

------------------------------------------

[Vulnerability Type]
Incorrect Access Control

------------------------------------------

[Vendor of Product]
WiZ Connected

------------------------------------------

[Affected Product Code Base]
WiZ Colors A60 - 1.14.0

------------------------------------------

[Affected Component]
Wiz Android Application 1.15.0

------------------------------------------

[Attack Type]
Physical

------------------------------------------

[Impact Information Disclosure]
true

------------------------------------------

[Attack Vectors]
Physical access or local root access on the mobile phone is required in order to exploit this issue.

------------------------------------------

[Reference]
N/A

------------------------------------------

[Has vendor confirmed or acknowledged the vulnerability?]
true

------------------------------------------

[Discoverer]
Wouter Wessels, Willem Westerhof, Jasper Nota, Jim Blankendaal
Use CVE-2020-11923.