Slashdot Mirror

← Back to Stories (view on slashdot.org)

Multiple Vulnerabilities Exposed In Pocket

Posted by timothy on from the out-of-pocket dept.

vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

24 of 88 comments (clear)

  1. Vulnerability in my pocket by nospam007 · · Score: 4, Funny

    There's a vulnerability in my jacket pocket too, it's called a 'hole'.

    1. Re:Vulnerability in my pocket by vivaoporto · · Score: 5, Funny

      Actually that would have been a marvelous title for this submission: "Multiple holes found in Pocket".

    2. Re:Vulnerability in my pocket by pr0nbot · · Score: 2

      Darn it!

  2. Security 101 by OverlordQ · · Score: 3, Interesting

    These seem like pretty basic things to get wrong.

    --
    Your hair look like poop, Bob! - Wanker.
    1. Re:Security 101 by gstoddart · · Score: 4, Insightful

      Well, in my experience Security 101 is something most people either don't know, or don't bother with.

      A tremendous amount of stuff comes out as "oooh, look ... shiny", and then you quickly discover security was kind of slapped on at the end, or not done at all.

      I've just started assuming that if someone says "hey, I have this thing which uses the network" that it's got security problems.

      Sadly, I keep getting proven right.

      --
      Lost at C:>. Found at C.
    2. Re:Security 101 by gstoddart · · Score: 2

      And this is why I think corporations need to have some liability for crap security.

      None of this "we forgot", or "it's too hard", or "the CEO insisted on it this way" ... no license which says "this software probably sucks, deal with it".

      Until then, pretty much every product will be release with bad/non-existent security.

      I've been a developer, and I understand deadlines and the like. But then we see instances where the company never fixes things.

      Far too much of it really is companies just being lazy and indifferent to security.

      --
      Lost at C:>. Found at C.
    3. Re:Security 101 by Darinbob · · Score: 3, Insightful

      I never understood the whole concept of Pocket. It's still baffling. I suspect the biggest security hole comes from the fact that it's being marketed to people who just don't care about security anyway and use it because it's new rather than applying any critical thinking.

  3. No by Anonymous Coward · · Score: 5, Insightful

    Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.

    1. Re:No by Anonymous Coward · · Score: 2, Interesting

      Speaking of that, how do I completely disable Pocket in Firefox? I've set browser.pocket.enabled to false, but I still have an entry at the top of the Bookmarks menu for "View Pocket List." No! I don't want to "View Pocket List" and I don't need that option in the menu. I'm never going to use this feature, let me fully remove it, please.

  4. Old style by Anonymous Coward · · Score: 2, Insightful

    I'm really old-style. I bookmark the sites I regularly visit and that's it. I don't need this level of "continuity" (also referencing the Apple feature).

    Maybe I don't miss what I don't know or maybe I don't care about what I miss. Besides, these days web sites are mostly story aggregators so there's probably not a whole lot of original content to miss.

    1. Re:Old style by Eythian · · Score: 2

      That's not what it's for. It's not for bookmarking things you visit regularly, that's what bookmarks and history are for. It's for saving articles you want to read later. Personally, I find that bookmarks suck for that as it's not their use case.

      Then you go on about how most content isn't original and what's the point anyway. What are you even doing reading slashdot then? Seriously, your "I don't understand how this works, and it's probably useless anyway now get off my lawn" head-in-sand ignorance is something you should sort out.

      You don't have to use things if you don't find them useful, that's fine. But don't go complaining about the uselessness of things when you don't even understand them.

      I seem to be having a grumpy morning.

  5. Re: Why is anyone still running Firefox? by Anonymous Coward · · Score: 2, Insightful

    Quite simply: It's not Google.

  6. Should not be any default by drinkypoo · · Score: 2

    Like all the other crap that's been added to our "browser", there should not be any default.

    If you want to save a web page for later perusal on the same device, you can use Scrapbook Plus. It works. (If you want to install it on a recent browser and not an extended support release, scroll down and install from the development channel.)

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  7. bookmarks? by Anonymous Coward · · Score: 4, Insightful

    Am I missing something, or is there absolutely no point in this "Pocket" service? To save articles to read later? Isn't that what bookmarks are for? To save these across multiple computers? Chrome does that for me already... And I'm still not sure what they mean by making it readable offline later? Is it saving an entire copy of the article on the server? Wouldn't you still require ONLINE access to actually get these files or are they shadowed to your local device to?

    If that's the case, there's this amazing "save as" option in most browsers, even "offline mode". None of these give anyone root access to anything. The thing is full of holes and apparently fills a niche for what, 1 guy too lazy to bookmark stuff? WTH

    I don't get the point of this software at all. And I find it pretty insane that a system to merely let you save articles to read later would somehow gain root priv. What the heck is going on in the backend to allow that?

    1. Re:bookmarks? by drinkypoo · · Score: 2

      I appreciate the ease of use argument, but with not too much more effort one could use a tool like hacktheweb to remove the crap (usually pretty easily, in fact) and then print the result to a PDF.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  8. Cloud by Archangel+Michael · · Score: 5, Insightful

    I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    1. Re:Cloud by Fnord666 · · Score: 2

      There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

      Does that make it a rain Cloud?

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  9. Re:Why is anyone still running Firefox? by mujadaddy · · Score: 4, Insightful

    Why is anyone still running Firefox?

    I haven't met a privacy concern I can't address yet with Firefox, whereas with Chrome I can only cover about 50% of the issues. I don't agree with the Set of Recent Distraction Additions, but with Firefox I can at least get robust control over every bit of my browsing experience. [NoScript, Cookie Whitelist, uMatrix, +hosts blacklist, in case you were curious. No Adblocker required.]

    --
    Populus vult decipi, ergo decipiatur...
    "Force shits upon Reason's back." - Poor Richard's Almanac
  10. *This* is why Mozilla needs to stand down.... by QuietLagoon · · Score: 4, Interesting
    Mozilla has been viewing Firefox like a kitchen sink, dumping everything into it.

    The backlash has caused Mozilla to take a step back and re-evaluate things. But is it too little too late?

    To me it looks as if Mozilla is in circle the wagons mode, being super defensive across the board. Constructively critical reviews about add-ons are being removed, apparently to keep the ratings in the 4 to 5 range for add-ons. Messages documenting problems are being removed in the support forums. (I saw one message that described a problem similar to the one I was having. When I went back to re-read it a day later, it had been removed.)

    It looks like Mozilla has made its transition to a bloated corporation complete. They now appear to be in the "control the message" mode of operation.

    1. Re:*This* is why Mozilla needs to stand down.... by QuietLagoon · · Score: 5, Insightful

      ...People seem to just like being negative about Firefox....

      Not really. Mozilla has earned all the grief it receives for what it has done to Firefox.

      .
      Firefox has been losing marketshare as a result of what Mozilla has been doing to Firefox. Mozilla needs to take its head out of its collective arse and realize that people complain about Firefox because they like the way Firefox was, i.e., not bloated but functional, sleek and a driver of standards.

      Nowadays, Firefox's marketshare is getting dangerously close to the point where it no longer can be a driver of web standards.

      Your message paints Firefox as the victim of mean people who just hate it. Until Mozilla realizes and acknowledges what is really going on, i.e., people who liked Firefox want to see it return to its former glory, Firefox will continue to move towards the has-been of browsers.

    2. Re:*This* is why Mozilla needs to stand down.... by andymadigan · · Score: 2

      It's not hypocritical. If Firefox starts taking on all of the "downsides" of Chrome, then the equation changes. Now the question is, what does Chrome have that Firefox doesn't? What does Firefox have that Chrome doesn't?

      On Mac, I use Safari. On Windows, I use Chrome, not FF. Why? Because FF can not seem to *get out of the fucking way* and let me browse.

      Every time it updates I have to close the stupid update page. On first install, I lost count of the number of prompts I had to close before I could just use the browser. Then there's the "plugin scan". If something has to be disabled, do it in the background and let me know! Same for updates.

      --
      The right to protest the State is more sacred than the State.
  11. Re:Why is anyone still running Firefox? by Tablizer · · Score: 4, Informative

    1) Plugin choice, 2) It's not (quite) corporate-ware like Chrome etc.

    --
    Table-ized A.I.
  12. Re:Why is anyone still running Firefox? by Darinbob · · Score: 2

    Alternatives? Chrome is even worse regarding it's update schedules. Anything from Microsoft is just right out and is unportable. Safari just feels wrong to me. The question is rhetorical though, I don't need to hear from the opera fans and advocates of something goofy. Firefox does the job, allows plugins to increase security and decrease malware, and is open source (but using idiot management, but that's true for all other browsers on the planet).

  13. backslash... Really? by Mr.+Droopy+Drawers · · Score: 2

    The word you're looking for is B-A-C-K-L-A-S-H. I think backslash is an alternate universe of Slashdot...

    --

    To Copy from One is Plagiarism; To Copy from Many is Research.