Slashdot Mirror
Multiple Vulnerabilities Exposed In Pocket
vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
Actually that would have been a marvelous title for this submission: "Multiple holes found in Pocket".
Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.
I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
...People seem to just like being negative about Firefox....
Not really. Mozilla has earned all the grief it receives for what it has done to Firefox.
.
Firefox has been losing marketshare as a result of what Mozilla has been doing to Firefox. Mozilla needs to take its head out of its collective arse and realize that people complain about Firefox because they like the way Firefox was, i.e., not bloated but functional, sleek and a driver of standards.
Nowadays, Firefox's marketshare is getting dangerously close to the point where it no longer can be a driver of web standards.
Your message paints Firefox as the victim of mean people who just hate it. Until Mozilla realizes and acknowledges what is really going on, i.e., people who liked Firefox want to see it return to its former glory, Firefox will continue to move towards the has-been of browsers.