Hey there,
I know that this might only apply for used devices, which are, in terms of the Meraki-ecosystem not existant, but I wanted to share my thoughts on the claim/unclaim inventory status page. It also applies to serial numbers that were accessible to the public etc.
So I wanted to add a couple of devices, which were in another dashboard, I will get the overview on whats going to be added, but i do also see the order number, before my claim was even confirmed. So as a possible attacker i would try to figure out the serial number in order to gain access to details such as the Meraki-Order-Nr.
Given the fact that i have access to the order number i, as an imaginary "theft" could claim unused devices from that order.
I dont got a solution for that, but something like a helpdesk for the claim/unclaim procedure and a better interface would be great. In my opinion this is a possible data breach, but thats something thats visible to all engineers.
I would also add a "reclaim" function in case devices have been "annexed" using this method.
Description:
I add a serial number from another dashboard,
i confirm the license/network settings -> https://n12345.meraki.com/o/Organization-ID/manage/organization/license/claim_orders/assign_networks...
In the next screen i can see details, that should be protected (in my opinion, because using the order number Licenses, Devices that are unused could be "annexed")
As said, this also applies to devices that were operated by another dashboard:
Sorry, but some messages are in German 🇩🇪 btw.
Meraki Staff, in case you think this is inappropriate for the forum, please move/restrict it and contact me via DM, normally companies like Cisco should have a bug bounty programm 😋
TL;DR: I think some measurements in the claim process are good, like the time interval (~some claims per five minutes or so), but others are too weak or too strong..