Petlibro, a leading smart pet feeder company, has faced serious security issues, particularly an authentication bypass that has allowed anyone to log into any account. The flaw stems from their social login API, which accepts Google IDs without verifying OAuth tokens. This means a malicious user can easily take over accounts if they know someone's email. Despite acknowledging this vulnerability over two months ago, Petlibro kept the outdated endpoint active for "legacy compatibility," exposing users to account takeovers. The vulnerabilities go beyond just login issues. Attackers can access anyone’s pet data, hijack devices, change feeding schedules, and even listen to private audio recordings meant for pets. The situation escalated when the author reported these issues on November 5, 2025, and received a mere $500 bounty offer, which was criticized for not matching the severity of the problems. Petlibro claimed to have fixed most issues but continued to leave the vulnerable endpoint active while monitoring user upgrades. After months of delays and a lack of urgency, the old endpoint was finally removed after the author publicized the situation. The entire episode raises concerns about Petlibro's commitment to user security. The company’s handling of the vulnerabilities and the attempt to enforce a confidentiality agreement post-payment casts doubt on their practices. Pet owners rely on these devices for their pets' well-being, and the failure to act decisively on known security flaws could have dire consequences.