I was staying at an Airbnb. The host used a smart lock with a shared access system: you receive a URL with a time-limited token that refreshes during your stay and expires when you check out. You open the link on your phone, and there is an unlock button. Clean, modern, convenient.
The lock had a geofencing feature. The idea is that the button only works when you are physically near the property. If you wander too far, you cannot unlock remotely. This makes sense as a security boundary: the token might be shared, forwarded, or intercepted, but at least the attacker would need to be on-site to use it.
I opened the link on my laptop instead of my phone and looked at the source.
The geolocation check runs entirely in the browser. When you are outside the defined radius, the app sets a CSS disabled attribute on the unlock button. That is the entire enforcement mechanism. The button is hidden. The API endpoint that triggers the unlock has no server-side location validation whatsoever.
Remove the disabled attribute in DevTools. Click the button. The door opens.
The token is valid. The API accepts the request without checking where it came from. You could be sitting in a different country.
I have reported this through the manufacturer’s responsible disclosure channels. Disclosure pending their response.