Slashdot Mirror
Multiple Vulnerabilities Exposed In Pocket
vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.
I'm really old-style. I bookmark the sites I regularly visit and that's it. I don't need this level of "continuity" (also referencing the Apple feature).
Maybe I don't miss what I don't know or maybe I don't care about what I miss. Besides, these days web sites are mostly story aggregators so there's probably not a whole lot of original content to miss.
Quite simply: It's not Google.
Well, in my experience Security 101 is something most people either don't know, or don't bother with.
A tremendous amount of stuff comes out as "oooh, look ... shiny", and then you quickly discover security was kind of slapped on at the end, or not done at all.
I've just started assuming that if someone says "hey, I have this thing which uses the network" that it's got security problems.
Sadly, I keep getting proven right.
Lost at C:>. Found at C.
Am I missing something, or is there absolutely no point in this "Pocket" service? To save articles to read later? Isn't that what bookmarks are for? To save these across multiple computers? Chrome does that for me already... And I'm still not sure what they mean by making it readable offline later? Is it saving an entire copy of the article on the server? Wouldn't you still require ONLINE access to actually get these files or are they shadowed to your local device to?
If that's the case, there's this amazing "save as" option in most browsers, even "offline mode". None of these give anyone root access to anything. The thing is full of holes and apparently fills a niche for what, 1 guy too lazy to bookmark stuff? WTH
I don't get the point of this software at all. And I find it pretty insane that a system to merely let you save articles to read later would somehow gain root priv. What the heck is going on in the backend to allow that?
I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Why is anyone still running Firefox?
I haven't met a privacy concern I can't address yet with Firefox, whereas with Chrome I can only cover about 50% of the issues. I don't agree with the Set of Recent Distraction Additions, but with Firefox I can at least get robust control over every bit of my browsing experience. [NoScript, Cookie Whitelist, uMatrix, +hosts blacklist, in case you were curious. No Adblocker required.]
Populus vult decipi, ergo decipiatur...
"Force shits upon Reason's back." - Poor Richard's Almanac
...People seem to just like being negative about Firefox....
Not really. Mozilla has earned all the grief it receives for what it has done to Firefox.
.
Firefox has been losing marketshare as a result of what Mozilla has been doing to Firefox. Mozilla needs to take its head out of its collective arse and realize that people complain about Firefox because they like the way Firefox was, i.e., not bloated but functional, sleek and a driver of standards.
Nowadays, Firefox's marketshare is getting dangerously close to the point where it no longer can be a driver of web standards.
Your message paints Firefox as the victim of mean people who just hate it. Until Mozilla realizes and acknowledges what is really going on, i.e., people who liked Firefox want to see it return to its former glory, Firefox will continue to move towards the has-been of browsers.
I never understood the whole concept of Pocket. It's still baffling. I suspect the biggest security hole comes from the fact that it's being marketed to people who just don't care about security anyway and use it because it's new rather than applying any critical thinking.