Holes found in Pocket Firefox add-on
Patched server holes could making for painful reading
Information security man Clint Ruoho has detailed server-side vulnerabilities in the popular Pocket add-on bundled with Firefox that may have allowed user reading lists to be populated with malicious links.
The since-patched holes were disclosed July 25 and fixed August 17 after a series of botched patches, and gave attackers access to the process running as root on Amazon servers.
Ruho says the bookmarking app functioned as an internal network proxy and subsequent poor design choices meant he could glean information on users including IP address data and the URLs customers saved for later reading. Adding redirects meant he gained access to the etc/passwd file.
"Applications similar to Pocket require some logic to handle HTTP redirects on links [and] I added a link to my queue that resulted in a somewhat malicious redirect," Ruho says.
"After refreshing the Pocket app on my Android phone, the (reading) list included file:///etc/passwd. Clicking on the item revealed the full contents of /etc/passwd."
He says chained vulnerabilities could allow an attacker to grab the etc/passwd file, SSH keys, internal IP addresses, and launch secure shell into Pocket's private IP address backend.
Security bod Ty Miller of Sydney-based Threat Intelligence says while the hack affected Pocket's servers, an attacker could have targeted user by manipulating reading links.
"They could have compromised the Pocket application and gained access to all of Pocket's user data, and in theory manipulated it so that it synchronises to user devices," Miller says.
"They could do things here like redirects to client-side exploits.
"There's also a privacy concern here too if people are saving links off their corporate intranet to Pocket that contain internal documents or authentication credentials."
Miller says Pocket which does not run a bug bounty program was lucky the holes were found by a responsible researcher.
Websites and services of the size of Pocket should run bug bounty programs if only to reduce the chance that researchers will sell data onto criminal markets. ®