Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Vulnerabilities Exposed In Pocket

Posted by timothy on from the out-of-pocket dept.

vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

57 of 88 comments (clear)

  1. Vulnerability in my pocket by nospam007 · · Score: 4, Funny

    There's a vulnerability in my jacket pocket too, it's called a 'hole'.

    1. Re:Vulnerability in my pocket by vivaoporto · · Score: 5, Funny

      Actually that would have been a marvelous title for this submission: "Multiple holes found in Pocket".

    2. Re:Vulnerability in my pocket by Anonymous Coward · · Score: 1

      There's a vulnerability in my jacket pocket too, it's called a 'hole'.

      Holes are what happen when you put backslashes in pockets. Expect there to be some backlash.

    3. Re:Vulnerability in my pocket by pr0nbot · · Score: 2

      Darn it!

  2. Security 101 by OverlordQ · · Score: 3, Interesting

    These seem like pretty basic things to get wrong.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Security 101 by gstoddart · · Score: 4, Insightful

      Well, in my experience Security 101 is something most people either don't know, or don't bother with.

      A tremendous amount of stuff comes out as "oooh, look ... shiny", and then you quickly discover security was kind of slapped on at the end, or not done at all.

      I've just started assuming that if someone says "hey, I have this thing which uses the network" that it's got security problems.

      Sadly, I keep getting proven right.

      --
      Lost at C:>. Found at C.
    2. Re:Security 101 by Tablizer · · Score: 1

      Often there is a deadline, perhaps unrealistic, pushing people to take risks. If you want it badly, that's how you'll get it.

      --
      Table-ized A.I.
    3. Re:Security 101 by gstoddart · · Score: 2

      And this is why I think corporations need to have some liability for crap security.

      None of this "we forgot", or "it's too hard", or "the CEO insisted on it this way" ... no license which says "this software probably sucks, deal with it".

      Until then, pretty much every product will be release with bad/non-existent security.

      I've been a developer, and I understand deadlines and the like. But then we see instances where the company never fixes things.

      Far too much of it really is companies just being lazy and indifferent to security.

      --
      Lost at C:>. Found at C.
    4. Re:Security 101 by Darinbob · · Score: 3, Insightful

      I never understood the whole concept of Pocket. It's still baffling. I suspect the biggest security hole comes from the fact that it's being marketed to people who just don't care about security anyway and use it because it's new rather than applying any critical thinking.

    5. Re:Security 101 by Darinbob · · Score: 1

      The real excuse: "it would cut into our profits!"

    6. Re:Security 101 by Tablizer · · Score: 1

      liability for crap security

      It's an interesting idea that has been floated many times, but it may not be practical to implement without greatly increasing the cost of software because it would create layers of "CYA processes".

      Users and society don't want to pay that premium so far. Quality software (UI aside) has always been hard sell when weighed against features with consumers. I don't know of a way to change human nature. (Unless, you push The Button and give cockroaches a chance.)

      --
      Table-ized A.I.
    7. Re:Security 101 by Sowelu · · Score: 1

      Increasing liability might reduce the amount of bad software out there, but only because it would reduce the amount of software out there, period.

    8. Re:Security 101 by Eythian · · Score: 1

      It's where you put things you want to read later. That's its concept. It's quite useful if you want to read things, but maybe don't have time right now.

      It also saves them offline, so you can load it up with stuff to read on that flight or subway trip, or whatever.

    9. Re:Security 101 by gl4ss · · Score: 1

      what's really baffling is why a read it later (offline) service is a web service in the first place.

      mozilla should have gone with just something that just saves them locally.. sync them with some web service after that if you want.

      --
      world was created 5 seconds before this post as it is.
    10. Re:Security 101 by Eythian · · Score: 1

      The idea is that this works across devices etc. You can read on the web or in an app or whatever. It's hard to do that without some kind of service.

      If it just saved things locally, then it would be a lot less useful.

  3. No by Anonymous Coward · · Score: 5, Insightful

    Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.

    1. Re:No by Anonymous Coward · · Score: 2, Interesting

      Speaking of that, how do I completely disable Pocket in Firefox? I've set browser.pocket.enabled to false, but I still have an entry at the top of the Bookmarks menu for "View Pocket List." No! I don't want to "View Pocket List" and I don't need that option in the menu. I'm never going to use this feature, let me fully remove it, please.

    2. Re:No by soap_and_dish · · Score: 1

      All you have to do is remove the icon. Here.

      Yes I don't like the Pocket integration either, but it's temporary, does no harm if you don't use it, and, this story inclusive, probably does no harm even if you do use it. It's just a useless icon. Get rid of it and put it behind you.

  4. Old style by Anonymous Coward · · Score: 2, Insightful

    I'm really old-style. I bookmark the sites I regularly visit and that's it. I don't need this level of "continuity" (also referencing the Apple feature).

    Maybe I don't miss what I don't know or maybe I don't care about what I miss. Besides, these days web sites are mostly story aggregators so there's probably not a whole lot of original content to miss.

    1. Re:Old style by DrVxD · · Score: 1

      Firefox already has the mechanism to save pages for later (bookmarks)

      A bookmark saves the *location* of a page, not the content. Next time you open that bookmark, the content may have changed (e.g most news sites' home pages are updated several times a day as new content is added)
      Pocket, on the other hand, saves a "snapshot" of the content of the page as-is. Next time you go to it, it'll have the same content.

      --
      Not everything that can be measured matters; Not everything that matters can be measured.
    2. Re:Old style by Eythian · · Score: 2

      That's not what it's for. It's not for bookmarking things you visit regularly, that's what bookmarks and history are for. It's for saving articles you want to read later. Personally, I find that bookmarks suck for that as it's not their use case.

      Then you go on about how most content isn't original and what's the point anyway. What are you even doing reading slashdot then? Seriously, your "I don't understand how this works, and it's probably useless anyway now get off my lawn" head-in-sand ignorance is something you should sort out.

      You don't have to use things if you don't find them useful, that's fine. But don't go complaining about the uselessness of things when you don't even understand them.

      I seem to be having a grumpy morning.

  5. Re:Why is anyone still running Firefox? by flacco · · Score: 1

    Personally, because I'm too lazy to find an alternative solution for what FoxyProxy does.

    I'm drifting that way though.

    --
    pr0n - keeping monitor glass spotless since 1981.
  6. Re: Why is anyone still running Firefox? by Anonymous Coward · · Score: 2, Insightful

    Quite simply: It's not Google.

  7. Should not be any default by drinkypoo · · Score: 2

    Like all the other crap that's been added to our "browser", there should not be any default.

    If you want to save a web page for later perusal on the same device, you can use Scrapbook Plus. It works. (If you want to install it on a recent browser and not an extended support release, scroll down and install from the development channel.)

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Re:Why is anyone still running Firefox? by ecsyle · · Score: 1

    I would love to use Firefox for more than web dev. At this point I consider all web browsers to be crap and look forward to the next Firefox-like browser to shake things up.

  9. bookmarks? by Anonymous Coward · · Score: 4, Insightful

    Am I missing something, or is there absolutely no point in this "Pocket" service? To save articles to read later? Isn't that what bookmarks are for? To save these across multiple computers? Chrome does that for me already... And I'm still not sure what they mean by making it readable offline later? Is it saving an entire copy of the article on the server? Wouldn't you still require ONLINE access to actually get these files or are they shadowed to your local device to?

    If that's the case, there's this amazing "save as" option in most browsers, even "offline mode". None of these give anyone root access to anything. The thing is full of holes and apparently fills a niche for what, 1 guy too lazy to bookmark stuff? WTH

    I don't get the point of this software at all. And I find it pretty insane that a system to merely let you save articles to read later would somehow gain root priv. What the heck is going on in the backend to allow that?

    1. Re:bookmarks? by Anonymous Coward · · Score: 1

      That's an impressive rant, but personally I find it very useful, because of the mobile app. I click 'Add to Pocket' and the service grabs the content, strips out all the ads/fluff/sidebars/styling to leave a mobile-friendly article and caches it on my phone so I can read it whenever, even without a network connection, which is usually the case since I normally read things when I'm on trains.

    2. Re:bookmarks? by drinkypoo · · Score: 2

      I appreciate the ease of use argument, but with not too much more effort one could use a tool like hacktheweb to remove the crap (usually pretty easily, in fact) and then print the result to a PDF.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    3. Re:bookmarks? by Eythian · · Score: 1

      PDFs are not good for reading on mobile devices, not even counting the extra effort to get it there. And why would you expend that effort when you could ... not?

      I'm all for decreasing reliance on closed services, and I think Firefox building this in isn't a move consistent with their principles, but pocket is quite useful and functional tool.

    4. Re:bookmarks? by drinkypoo · · Score: 1

      PDFs are not good for reading on mobile devices, not even counting the extra effort to get it there.

      No problems here. Get a better mobile device.

      And why would you expend that effort when you could ... not?

      Because I don't trust third party services. That lack of trust is obviously well-founded. I prefer to use fewer of them as a result.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    5. Re:bookmarks? by Eythian · · Score: 1

      No problems here. Get a better mobile device.

      No. That's a terrible answer with no thought behind it at all. Some people like their phone with a 3 inch screen. PDFs are not a format for display in all manner of layouts. You're just being silly.

      Because I don't trust third party services. That lack of trust is obviously well-founded. I prefer to use fewer of them as a result.

      Most people don't care. Also, most people aren't so technically inclined to build every service they might want from the ground up, or want the hassle of going through and manually moving files between things. If you're not the target market, fine. But don't try to apply your own perspectives onto everyone else.

  10. Re:Why is anyone still running Firefox? by Anonymous Coward · · Score: 1

    Because it doesn't shit itself every 5 minutes unlike Chrome

    For the better part of a year I thought my OS was becoming unstable because of the non-stop crashing / memory leaks and general failure of Chrome to do anything, then I switched back to Firefox (after probably 8 years or so of abandonment) and discovered that it not only ran better but rarely crashed. The UI is pretty nice as well

    It's not perfect but then, what is

  11. Re: Why is anyone still running Firefox? by Anonymous Coward · · Score: 1

    The vulnerability affects the backend Pocket webserver (and the AWS account that the Pocket servers run in).

    I don't see how this affects me personally just because I use Firefox as a web browser.

  12. Cloud by Archangel+Michael · · Score: 5, Insightful

    I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Cloud by Cro+Magnon · · Score: 1

      ^This! There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    2. Re:Cloud by Fnord666 · · Score: 2

      There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

      Does that make it a rain Cloud?

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  13. Some backslash? by Anonymous Coward · · Score: 1

    Everybody knows forward slashes are the way to go.

  14. Re: Why is anyone still running Firefox? by Nikademus · · Score: 1

    Except that none of those are portable either. Firefox just runs on almost any OS you want it to run on.

    --
    I gave up with the idea of an useful sig...
  15. Re:Why is anyone still running Firefox? by mujadaddy · · Score: 4, Insightful

    Why is anyone still running Firefox?

    I haven't met a privacy concern I can't address yet with Firefox, whereas with Chrome I can only cover about 50% of the issues. I don't agree with the Set of Recent Distraction Additions, but with Firefox I can at least get robust control over every bit of my browsing experience. [NoScript, Cookie Whitelist, uMatrix, +hosts blacklist, in case you were curious. No Adblocker required.]

    --
    Populus vult decipi, ergo decipiatur...
    "Force shits upon Reason's back." - Poor Richard's Almanac
  16. *This* is why Mozilla needs to stand down.... by QuietLagoon · · Score: 4, Interesting
    Mozilla has been viewing Firefox like a kitchen sink, dumping everything into it.

    The backlash has caused Mozilla to take a step back and re-evaluate things. But is it too little too late?

    To me it looks as if Mozilla is in circle the wagons mode, being super defensive across the board. Constructively critical reviews about add-ons are being removed, apparently to keep the ratings in the 4 to 5 range for add-ons. Messages documenting problems are being removed in the support forums. (I saw one message that described a problem similar to the one I was having. When I went back to re-read it a day later, it had been removed.)

    It looks like Mozilla has made its transition to a bloated corporation complete. They now appear to be in the "control the message" mode of operation.

    1. Re:*This* is why Mozilla needs to stand down.... by CrashNBrn · · Score: 1

      Opera didn't face less negativity over their capitulation... but the only place to raise the issues was on the Opera Forums|Blog... Those "platforms" are actively censored... as well Opera ASA nixed "MyOpera" and all of its 10+ year content - including user-created Opera Documentation|Tips.
      Fuck Opera.

    2. Re:*This* is why Mozilla needs to stand down.... by CrashNBrn · · Score: 1

      Firefox isn't even remotely close to "kitchen-sink". You have to install add-ons for the most basic "tab options"... actually you pretty much have to install an Add-On to get any options at all. Want to change keyboard shortcuts? Add-on. Want to actually be able to manage your sessions? The "built-in" session manager... yeah it can't do that, go get another add-on.

    3. Re:*This* is why Mozilla needs to stand down.... by QuietLagoon · · Score: 5, Insightful

      ...People seem to just like being negative about Firefox....

      Not really. Mozilla has earned all the grief it receives for what it has done to Firefox.

      .
      Firefox has been losing marketshare as a result of what Mozilla has been doing to Firefox. Mozilla needs to take its head out of its collective arse and realize that people complain about Firefox because they like the way Firefox was, i.e., not bloated but functional, sleek and a driver of standards.

      Nowadays, Firefox's marketshare is getting dangerously close to the point where it no longer can be a driver of web standards.

      Your message paints Firefox as the victim of mean people who just hate it. Until Mozilla realizes and acknowledges what is really going on, i.e., people who liked Firefox want to see it return to its former glory, Firefox will continue to move towards the has-been of browsers.

    4. Re:*This* is why Mozilla needs to stand down.... by andymadigan · · Score: 2

      It's not hypocritical. If Firefox starts taking on all of the "downsides" of Chrome, then the equation changes. Now the question is, what does Chrome have that Firefox doesn't? What does Firefox have that Chrome doesn't?

      On Mac, I use Safari. On Windows, I use Chrome, not FF. Why? Because FF can not seem to *get out of the fucking way* and let me browse.

      Every time it updates I have to close the stupid update page. On first install, I lost count of the number of prompts I had to close before I could just use the browser. Then there's the "plugin scan". If something has to be disabled, do it in the background and let me know! Same for updates.

      --
      The right to protest the State is more sacred than the State.
    5. Re:*This* is why Mozilla needs to stand down.... by KGIII · · Score: 1

      Maybe Firefox should stick to making a core browser that works and is secure. Then forks can make alternative versions with all the bells and whistles as needed. I do not really have a solution but that is what comes to mind.

      --
      "So long and thanks for all the fish."
  17. Re:Why is anyone still running Firefox? by Tablizer · · Score: 4, Informative

    1) Plugin choice, 2) It's not (quite) corporate-ware like Chrome etc.

    --
    Table-ized A.I.
  18. Re:Why is anyone still running Firefox? by TechyImmigrant · · Score: 1

    Why is anyone still running Firefox? (Other than those of us who need to a keep a copy around for web dev.)

    Because

    dnf install firefox works.
    dnf install chrome does not.

    --
    I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  19. Vague attempt at subliminal advertising by shabble · · Score: 1

    the third party web-based service chosen by Mozilla (with some back slash )

    ...or just the usual standard of proofreading we've come to expect around here?

    --
    http://harridanic.com
  20. Abandon ship by LichtSpektren · · Score: 1

    and use Chromium. It's 100% FLOSS (Firefox no longer is because of all the third-party binaries integrated therein), doesn't choke to death on memory leaks, and the default telemetry collection (spyware) is just as invasive as Firefox's.

  21. Re:Why is anyone still running Firefox? by Darinbob · · Score: 2

    Alternatives? Chrome is even worse regarding it's update schedules. Anything from Microsoft is just right out and is unportable. Safari just feels wrong to me. The question is rhetorical though, I don't need to hear from the opera fans and advocates of something goofy. Firefox does the job, allows plugins to increase security and decrease malware, and is open source (but using idiot management, but that's true for all other browsers on the planet).

  22. backslash... Really? by Mr.+Droopy+Drawers · · Score: 2

    The word you're looking for is B-A-C-K-L-A-S-H. I think backslash is an alternate universe of Slashdot...

    --

    To Copy from One is Plagiarism; To Copy from Many is Research.

  23. Re:Why is anyone still running Firefox? by sims+2 · · Score: 1

    Is there something wrong with kwikset locks I should know about?

    The last time I was broken into they cut through a double roof (it used to be a flat top) broke out a window and climbed through the bars to get out.

    He also broke the glass out of a unlocked display case to take one item.

    A few thousand dollars in damage for a $300 gun. Afaik the guy is still in jail. Although I don't think on that charge.

    --
    Minimum threshold fixed. Thanks!
  24. Because of many misfeatures in Chrome by Ungrounded+Lightning · · Score: 1

    There were several in the version of Chrome the IT department installed.

    The straw that broke the camel's back for me was the inability to remove a typo-squatting, not-safe-for-work, website address from the drop-down autocomplete suggestions in the address bar.

    --
    Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
  25. Re:Why is anyone still running Firefox? by OverlordQ · · Score: 1

    You still havent named anything you can do in Firefox you can't do in Chrome. All those exist as equivalent chrome extensions.

    --
    Your hair look like poop, Bob! - Wanker.
  26. Re: Why is anyone still running Firefox? by KGIII · · Score: 1

    Might I recommend Opera? It is built on Chromium but strips out all the privacy invading crap that Google has. It is open, it is free, and it is pretty good. You can use extensions from Opera or even Google so you have a lot of choices. It is stable as all hell. It has a temporary save state so when you POST data you can press back and make changes to your input. It is quick, easy, and ranks very well in a number of tests. It is also seemingly gaining market share.

    I have been using Opera since the days that you had to pay for it. So I am a little biased but I also have donated to Mozilla and they even put my name in some newspaper or other (I forget which one - it was a big thing to them at the time though I did not really care). Opera generally has been the browser to incorporate the new features before other browsers get them. I have been a fan for a very, very long time.

    Portable versions can be built or downloaded. It's worth the time to check, if you are interested in an alternative, and I've had great luck with them.

    --
    "So long and thanks for all the fish."
  27. Clean it up & save on your own drive. by swell · · Score: 1

    As many have said, it is insane to save things related to your personal interests on an anonymous server. Most of us have trilobytes of hard drive space available--so use it. Also, few web pages are worth saving due to the 30% devoted to content, 70% to obnoxious noise. So, some cleanup is desirable.

    Here's what works on my Mac (YMMV): I find an interesting page that I haven't time to study right now so my first choice is to Copy the text and Paste it into a text editor. Perhaps there are pictures and charts that I want to include- I can copy & paste them too, but that's time consuming and some formatting is often lost.

    The next option (brilliant, you'll agree) is to turn on the Add-On called HackTheWeb. Oooh, you're gonna like it. So now I can select elements of the page to Remove or maybe a central article to Isolate. On a very complex page it can be tricky to get just what you want without all the cruft. Get rid of the ads, doodads and other junk leaving a nice clean article to save.

    Finally, with the Mac I go to the Print menu and verify that it looks like I expect, and then I Print to PDF. I have a clean copy ON MY DRIVE, and not some foreign server. The entire process takes 1-3 minutes but it results in an easy to read page that can be proudly shared with other interested parties.

    --
    ...omphaloskepsis often...
  28. Re:Kwikset by sims+2 · · Score: 1

    Thanks for the information we use the kwikset classics. while that is worrying I don't think anything will be done about it until crooks go back to using doors.

    One of the business in town even had the doors stolen from the front of their building nothing else just the doors. http://www.sequoyahcountytimes...

    You can still see the boot print on one of our doors from when someone tried to kick it in a few years ago might have even worked to if it hadn't been sealed off after a car ran into it a few years prior.

    --
    Minimum threshold fixed. Thanks!