I bought a FitBit Aria half price on Amazon last week and activated it today.
The process is quite simple but managed to upset me (and also NetworkManager was not very helpful and I had to kill it once so that it accepts to reconnect after losing the connection, after killing the applet once so that clicking has any effect...)
First, you create an account and start the web wizard. Then you conect to the AriaXXXX WiFi network and continue the wizard.
It will detect the available WiFi networks and the page will fetch the results in js:
GET /scale/ssid_info.js HTTP/1.1
0166
{
"networks": [
{ "ssid": "BTWiFi-with-FON", "sig": 2, "pw": 0 },
{ "ssid": "BTWiFi", "sig": 2, "pw": 0 },
{ "ssid": "FOO12345", "sig": 1, "pw": 52 },
],
"error_code" : 0,
"error_msg" : ''
}
0
Server has an interesting description in HTTP header: Server: $ProjectRevision: 4.2.2.12 $, I don't which version control system uses $ProjectRevision keyword.
After you have selected one and entered the password, you reach the part which upset me:
GET /scale/setup?custom_password=MyPassword&ssid=FOO12345
It has sent my WiFi password using unencryped HTTP connection over unencrypted WiFi to my neigbours and people passing by!