Bug/Possible breach found in the dashboard. Order Number is visible to third parties.
I know that this might only apply for used devices, which are, in terms of the Meraki-ecosystem not existant, but I wanted to share my thoughts on the claim/unclaim inventory status page. It also applies to serial numbers that were accessible to the public etc.
So I wanted to add a couple of devices, which were in another dashboard, I will get the overview on whats going to be added, but i do also see the order number, before my claim was even confirmed. So as a possible attacker i would try to figure out the serial number in order to gain access to details such as the Meraki-Order-Nr.
Given the fact that i have access to the order number i, as an imaginary "theft" could claim unused devices from that order.
I dont got a solution for that, but something like a helpdesk for the claim/unclaim procedure and a better interface would be great. In my opinion this is a possible data breach, but thats something thats visible to all engineers. I would also add a "reclaim" function in case devices have been "annexed" using this method.
Description: I add a serial number from another dashboard,
No it's referring to individual devices which were unclaimed during device moving or are not yet claimed. I mean it's enough to have the serial number to gather dozen of serial numbers. I have submitted it at Bugcrowd.
FWIW, Meraki does indeed have a Bug Bounty program: https://bugcrowd.com/ciscomeraki😃 however I believe this is outside of scope. As @GreenMan points out, if a serial from an order is claimed, the order number itself cannot be claimed.