Slashdot Mirror
Multiple Vulnerabilities Exposed In Pocket
vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
There's a vulnerability in my jacket pocket too, it's called a 'hole'.
These seem like pretty basic things to get wrong.
Your hair look like poop, Bob! - Wanker.
Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.
I'm really old-style. I bookmark the sites I regularly visit and that's it. I don't need this level of "continuity" (also referencing the Apple feature).
Maybe I don't miss what I don't know or maybe I don't care about what I miss. Besides, these days web sites are mostly story aggregators so there's probably not a whole lot of original content to miss.
Personally, because I'm too lazy to find an alternative solution for what FoxyProxy does.
I'm drifting that way though.
pr0n - keeping monitor glass spotless since 1981.
Quite simply: It's not Google.
Some people think it's more secure. These people are usually the ones who also run Internet Explorer, have Kwikset locks, and use "The Club" style steering wheel locks...
Like all the other crap that's been added to our "browser", there should not be any default.
If you want to save a web page for later perusal on the same device, you can use Scrapbook Plus. It works. (If you want to install it on a recent browser and not an extended support release, scroll down and install from the development channel.)
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
I would love to use Firefox for more than web dev. At this point I consider all web browsers to be crap and look forward to the next Firefox-like browser to shake things up.
Quite simply: It's not Google.
Neither are these.
Am I missing something, or is there absolutely no point in this "Pocket" service? To save articles to read later? Isn't that what bookmarks are for? To save these across multiple computers? Chrome does that for me already... And I'm still not sure what they mean by making it readable offline later? Is it saving an entire copy of the article on the server? Wouldn't you still require ONLINE access to actually get these files or are they shadowed to your local device to?
If that's the case, there's this amazing "save as" option in most browsers, even "offline mode". None of these give anyone root access to anything. The thing is full of holes and apparently fills a niche for what, 1 guy too lazy to bookmark stuff? WTH
I don't get the point of this software at all. And I find it pretty insane that a system to merely let you save articles to read later would somehow gain root priv. What the heck is going on in the backend to allow that?
Because it doesn't shit itself every 5 minutes unlike Chrome
For the better part of a year I thought my OS was becoming unstable because of the non-stop crashing / memory leaks and general failure of Chrome to do anything, then I switched back to Firefox (after probably 8 years or so of abandonment) and discovered that it not only ran better but rarely crashed. The UI is pretty nice as well
It's not perfect but then, what is
If an attacker can get a specially crafted "HAND" installed into pocket, the entire contents of pocket become exposed and can be taken unnoticed.
Pockets that are installed on "London Commuter" and "Paris Tourist" are particularly susceptible to HAND attacks
The vulnerability affects the backend Pocket webserver (and the AWS account that the Pocket servers run in).
I don't see how this affects me personally just because I use Firefox as a web browser.
I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Everybody knows forward slashes are the way to go.
Multiple gmail accounts in multiple browsers.
A locked down Firefox which doesn't run anything beyond HTML ... no cookies, no javascript, no Flash.
Sometimes, you need different browsers depending on the degree of trust for the site in question.
And anybody running ANY browser without addons to block the crap on the internet is probably clueless ... none of them are safe, secure, or give a damn about your privacy out of the box.
Except that none of those are portable either. Firefox just runs on almost any OS you want it to run on.
I gave up with the idea of an useful sig...
Because its no worse than Chrome
Why is anyone still running Firefox?
I haven't met a privacy concern I can't address yet with Firefox, whereas with Chrome I can only cover about 50% of the issues. I don't agree with the Set of Recent Distraction Additions, but with Firefox I can at least get robust control over every bit of my browsing experience. [NoScript, Cookie Whitelist, uMatrix, +hosts blacklist, in case you were curious. No Adblocker required.]
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
The backlash has caused Mozilla to take a step back and re-evaluate things. But is it too little too late?
To me it looks as if Mozilla is in circle the wagons mode, being super defensive across the board. Constructively critical reviews about add-ons are being removed, apparently to keep the ratings in the 4 to 5 range for add-ons. Messages documenting problems are being removed in the support forums. (I saw one message that described a problem similar to the one I was having. When I went back to re-read it a day later, it had been removed.)
It looks like Mozilla has made its transition to a bloated corporation complete. They now appear to be in the "control the message" mode of operation.
1) Plugin choice, 2) It's not (quite) corporate-ware like Chrome etc.
Table-ized A.I.
Because it makes my life easier than the others, with specialized addons, an address bar that's actually helpful, ways to work around just about everything when things go bad, and generally uses less RAM to do the same thing as the other browsers. Plus it's not like I can't fall back on another browser for the rare cases when they handle something substantially better.
Because I can actually turn this shit off. On chrome if they take it out of chrome://flags you're screwed.
Or are you just happy to see me?
Disable Hello, Pocket & Reader+, for your health
https://addons.mozilla.org/en-US/firefox/addon/disable-hello-pocket-reader/?src=api
Why is anyone still running Firefox? (Other than those of us who need to a keep a copy around for web dev.)
Because
dnf install firefox works.
dnf install chrome does not.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Differentiating between a browser crash and an unstable OS is easy. A browser crash only kills the browser itself. It doesn't take the OS or the word processor with it - ever.
An unstable OS will sometimes crash completely, it will crash different applications from time to time, and several at once (as in "the browser crash also took down excel for me...")
Because Chrome actually breaks things in our M$ work environment.
http://harridanic.com
and use Chromium. It's 100% FLOSS (Firefox no longer is because of all the third-party binaries integrated therein), doesn't choke to death on memory leaks, and the default telemetry collection (spyware) is just as invasive as Firefox's.
How does one obtain the private key for root loging to a server in amazon ec2 cloud, if said private key is not stored on said server?
I have a browser open while I'm doing everything but hey really all I know is I switched browsers and things started to suck less, a lot less. Remarkably less.
And the bonus is I get access to all the great tools that live in the Firefox space. I don't miss Chrome in the least.
I used to hate FF with a passion, but in leaving for so long and coming back to me it seems like a great alternative
YMMV
Alternatives? Chrome is even worse regarding it's update schedules. Anything from Microsoft is just right out and is unportable. Safari just feels wrong to me. The question is rhetorical though, I don't need to hear from the opera fans and advocates of something goofy. Firefox does the job, allows plugins to increase security and decrease malware, and is open source (but using idiot management, but that's true for all other browsers on the planet).
The word you're looking for is B-A-C-K-L-A-S-H. I think backslash is an alternate universe of Slashdot...
To Copy from One is Plagiarism; To Copy from Many is Research.
Random agent spoofer is another pretty nice tool to have in your privacy bag.
Is there something wrong with kwikset locks I should know about?
The last time I was broken into they cut through a double roof (it used to be a flat top) broke out a window and climbed through the bars to get out.
He also broke the glass out of a unlocked display case to take one item.
A few thousand dollars in damage for a $300 gun. Afaik the guy is still in jail. Although I don't think on that charge.
Minimum threshold fixed. Thanks!
Is there something wrong with kwikset locks I should know about?
Poor tolerances allow a set of 243 keys to open any Smart Key lock.
A decoding tool was developed by Shane Lawson (Valanx) of the locksport group FOOLS.
Various low-skill, quick bypass and destructive entry techniques can be used against the Smart Key.
The Kwikset Classic locks (i.e. non-Smartkey) are even worse; like most ordinary pin-tumbler locks, they can be bumped open.
There were several in the version of Chrome the IT department installed.
The straw that broke the camel's back for me was the inability to remove a typo-squatting, not-safe-for-work, website address from the drop-down autocomplete suggestions in the address bar.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
You still havent named anything you can do in Firefox you can't do in Chrome. All those exist as equivalent chrome extensions.
Your hair look like poop, Bob! - Wanker.
And http everywhere? At least until Firefox 42
regarding it's update schedules.
regarding its update schedules.
FTFY.
.
Might I recommend Opera? It is built on Chromium but strips out all the privacy invading crap that Google has. It is open, it is free, and it is pretty good. You can use extensions from Opera or even Google so you have a lot of choices. It is stable as all hell. It has a temporary save state so when you POST data you can press back and make changes to your input. It is quick, easy, and ranks very well in a number of tests. It is also seemingly gaining market share.
I have been using Opera since the days that you had to pay for it. So I am a little biased but I also have donated to Mozilla and they even put my name in some newspaper or other (I forget which one - it was a big thing to them at the time though I did not really care). Opera generally has been the browser to incorporate the new features before other browsers get them. I have been a fan for a very, very long time.
Portable versions can be built or downloaded. It's worth the time to check, if you are interested in an alternative, and I've had great luck with them.
"So long and thanks for all the fish."
As many have said, it is insane to save things related to your personal interests on an anonymous server. Most of us have trilobytes of hard drive space available--so use it. Also, few web pages are worth saving due to the 30% devoted to content, 70% to obnoxious noise. So, some cleanup is desirable.
Here's what works on my Mac (YMMV): I find an interesting page that I haven't time to study right now so my first choice is to Copy the text and Paste it into a text editor. Perhaps there are pictures and charts that I want to include- I can copy & paste them too, but that's time consuming and some formatting is often lost.
The next option (brilliant, you'll agree) is to turn on the Add-On called HackTheWeb. Oooh, you're gonna like it. So now I can select elements of the page to Remove or maybe a central article to Isolate. On a very complex page it can be tricky to get just what you want without all the cruft. Get rid of the ads, doodads and other junk leaving a nice clean article to save.
Finally, with the Mac I go to the Print menu and verify that it looks like I expect, and then I Print to PDF. I have a clean copy ON MY DRIVE, and not some foreign server. The entire process takes 1-3 minutes but it results in an easy to read page that can be proudly shared with other interested parties.
...omphaloskepsis often...
If I understand this disclosure correctly, the SSL/TLS Private Key could be read by anyone aware of the vulnerability and could figure out the location of the private key (or location of the configuration specifying the location of the private key). Should Pocket really still be using the same certificate from April 2015?!