Information security man Clint Ruoho has detailed server-side vulnerabilities in the popular Pocket add-on bundled with Firefox that may have allowed user reading lists to be populated with malicious links.
The since-patched holes were disclosed July 25 and fixed August 17 after a series of botched patches, and gave attackers access to the process running as root on Amazon servers.
Ruho says the bookmarking app functioned as an internal network proxy and subsequent poor design choices meant he could glean information on users including IP address data and the URLs customers saved for later reading. Adding redirects meant he gained access to the etc/passwd file.
“Applications similar to Pocket require some logic to handle HTTP redirects on links [and] I added a link to my queue that resulted in a somewhat malicious redirect,” Ruho says.
“After refreshing the Pocket app on my Android phone, the (reading) list included file:///etc/passwd. Clicking on the item revealed the full contents of /etc/passwd.”
He says chained vulnerabilities could allow an attacker to grab the etc/passwd file, SSH keys, internal IP addresses, and launch secure shell into Pocket’s private IP address backend.
Security bod Ty Miller of Sydney-based Threat Intelligence says while the hack affected Pocket’s servers, an attacker could have targeted user by manipulating reading links.
View full story