Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bug Firefox Mozilla Security IT

Multiple Vulnerabilities Exposed In Pocket 88

vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.
This discussion has been archived. No new comments can be posted.

Multiple Vulnerabilities Exposed In Pocket

Comments Filter:
  • by nospam007 ( 722110 ) * on Tuesday August 18, 2015 @11:24AM (#50340021)

    There's a vulnerability in my jacket pocket too, it's called a 'hole'.

  • Security 101 (Score:4, Interesting)

    by OverlordQ ( 264228 ) on Tuesday August 18, 2015 @11:32AM (#50340093) Journal

    These seem like pretty basic things to get wrong.

    • Re:Security 101 (Score:5, Insightful)

      by gstoddart ( 321705 ) on Tuesday August 18, 2015 @11:44AM (#50340187) Homepage

      Well, in my experience Security 101 is something most people either don't know, or don't bother with.

      A tremendous amount of stuff comes out as "oooh, look ... shiny", and then you quickly discover security was kind of slapped on at the end, or not done at all.

      I've just started assuming that if someone says "hey, I have this thing which uses the network" that it's got security problems.

      Sadly, I keep getting proven right.

      • by Tablizer ( 95088 )

        Often there is a deadline, perhaps unrealistic, pushing people to take risks. If you want it badly, that's how you'll get it.

        • And this is why I think corporations need to have some liability for crap security.

          None of this "we forgot", or "it's too hard", or "the CEO insisted on it this way" ... no license which says "this software probably sucks, deal with it".

          Until then, pretty much every product will be release with bad/non-existent security.

          I've been a developer, and I understand deadlines and the like. But then we see instances where the company never fixes things.

          Far too much of it really is companies just being lazy and ind

          • The real excuse: "it would cut into our profits!"

          • by Tablizer ( 95088 )

            liability for crap security

            It's an interesting idea that has been floated many times, but it may not be practical to implement without greatly increasing the cost of software because it would create layers of "CYA processes".

            Users and society don't want to pay that premium so far. Quality software (UI aside) has always been hard sell when weighed against features with consumers. I don't know of a way to change human nature. (Unless, you push The Button and give cockroaches a chance.)

          • by Sowelu ( 713889 )

            Increasing liability might reduce the amount of bad software out there, but only because it would reduce the amount of software out there, period.

      • Re:Security 101 (Score:4, Insightful)

        by Darinbob ( 1142669 ) on Tuesday August 18, 2015 @01:07PM (#50340867)

        I never understood the whole concept of Pocket. It's still baffling. I suspect the biggest security hole comes from the fact that it's being marketed to people who just don't care about security anyway and use it because it's new rather than applying any critical thinking.

        • by Eythian ( 552130 )

          It's where you put things you want to read later. That's its concept. It's quite useful if you want to read things, but maybe don't have time right now.

          It also saves them offline, so you can load it up with stuff to read on that flight or subway trip, or whatever.

          • by gl4ss ( 559668 )

            what's really baffling is why a read it later (offline) service is a web service in the first place.

            mozilla should have gone with just something that just saves them locally.. sync them with some web service after that if you want.

            • by Eythian ( 552130 )

              The idea is that this works across devices etc. You can read on the web or in an app or whatever. It's hard to do that without some kind of service.

              If it just saved things locally, then it would be a lot less useful.

  • No (Score:5, Insightful)

    by Anonymous Coward on Tuesday August 18, 2015 @11:36AM (#50340113)

    Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Speaking of that, how do I completely disable Pocket in Firefox? I've set browser.pocket.enabled to false, but I still have an entry at the top of the Bookmarks menu for "View Pocket List." No! I don't want to "View Pocket List" and I don't need that option in the menu. I'm never going to use this feature, let me fully remove it, please.

      • All you have to do is remove the icon. Here [mozilla.org].

        Yes I don't like the Pocket integration either, but it's temporary, does no harm if you don't use it, and, this story inclusive, probably does no harm even if you do use it. It's just a useless icon. Get rid of it and put it behind you.
  • Old style (Score:2, Insightful)

    by Anonymous Coward

    I'm really old-style. I bookmark the sites I regularly visit and that's it. I don't need this level of "continuity" (also referencing the Apple feature).

    Maybe I don't miss what I don't know or maybe I don't care about what I miss. Besides, these days web sites are mostly story aggregators so there's probably not a whole lot of original content to miss.

    • by Eythian ( 552130 )

      That's not what it's for. It's not for bookmarking things you visit regularly, that's what bookmarks and history are for. It's for saving articles you want to read later. Personally, I find that bookmarks suck for that as it's not their use case.

      Then you go on about how most content isn't original and what's the point anyway. What are you even doing reading slashdot then? Seriously, your "I don't understand how this works, and it's probably useless anyway now get off my lawn" head-in-sand ignorance is somet

  • Like all the other crap that's been added to our "browser", there should not be any default.

    If you want to save a web page for later perusal on the same device, you can use Scrapbook Plus [mozilla.org]. It works. (If you want to install it on a recent browser and not an extended support release, scroll down and install from the development channel.)

  • bookmarks? (Score:4, Insightful)

    by Anonymous Coward on Tuesday August 18, 2015 @11:47AM (#50340217)

    Am I missing something, or is there absolutely no point in this "Pocket" service? To save articles to read later? Isn't that what bookmarks are for? To save these across multiple computers? Chrome does that for me already... And I'm still not sure what they mean by making it readable offline later? Is it saving an entire copy of the article on the server? Wouldn't you still require ONLINE access to actually get these files or are they shadowed to your local device to?

    If that's the case, there's this amazing "save as" option in most browsers, even "offline mode". None of these give anyone root access to anything. The thing is full of holes and apparently fills a niche for what, 1 guy too lazy to bookmark stuff? WTH

    I don't get the point of this software at all. And I find it pretty insane that a system to merely let you save articles to read later would somehow gain root priv. What the heck is going on in the backend to allow that?

    • by Anonymous Coward

      That's an impressive rant, but personally I find it very useful, because of the mobile app. I click 'Add to Pocket' and the service grabs the content, strips out all the ads/fluff/sidebars/styling to leave a mobile-friendly article and caches it on my phone so I can read it whenever, even without a network connection, which is usually the case since I normally read things when I'm on trains.

      • I appreciate the ease of use argument, but with not too much more effort one could use a tool like hacktheweb to remove the crap (usually pretty easily, in fact) and then print the result to a PDF.

        • by Eythian ( 552130 )

          PDFs are not good for reading on mobile devices, not even counting the extra effort to get it there. And why would you expend that effort when you could ... not?

          I'm all for decreasing reliance on closed services, and I think Firefox building this in isn't a move consistent with their principles, but pocket is quite useful and functional tool.

          • PDFs are not good for reading on mobile devices, not even counting the extra effort to get it there.

            No problems here. Get a better mobile device.

            And why would you expend that effort when you could ... not?

            Because I don't trust third party services. That lack of trust is obviously well-founded. I prefer to use fewer of them as a result.

            • by Eythian ( 552130 )

              No problems here. Get a better mobile device.

              No. That's a terrible answer with no thought behind it at all. Some people like their phone with a 3 inch screen. PDFs are not a format for display in all manner of layouts. You're just being silly.

              Because I don't trust third party services. That lack of trust is obviously well-founded. I prefer to use fewer of them as a result.

              Most people don't care. Also, most people aren't so technically inclined to build every service they might want from the ground up, or want the hassle of going through and manually moving files between things. If you're not the target market, fine. But don't try to apply your own perspectives onto everyone else.

  • Cloud (Score:5, Insightful)

    by Archangel Michael ( 180766 ) on Tuesday August 18, 2015 @12:00PM (#50340345) Journal

    I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.

    • ^This! There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

      • There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

        Does that make it a rain Cloud?

  • by Anonymous Coward

    Everybody knows forward slashes are the way to go.

  • by QuietLagoon ( 813062 ) on Tuesday August 18, 2015 @12:22PM (#50340479)
    Mozilla has been viewing Firefox like a kitchen sink, dumping everything into it.

    The backlash has caused Mozilla to take a step back and re-evaluate things. But is it too little too late?

    To me it looks as if Mozilla is in circle the wagons mode, being super defensive across the board. Constructively critical reviews about add-ons are being removed, apparently to keep the ratings in the 4 to 5 range for add-ons. Messages documenting problems are being removed in the support forums. (I saw one message that described a problem similar to the one I was having. When I went back to re-read it a day later, it had been removed.)

    It looks like Mozilla has made its transition to a bloated corporation complete. They now appear to be in the "control the message" mode of operation.

    • Firefox isn't even remotely close to "kitchen-sink". You have to install add-ons for the most basic "tab options"... actually you pretty much have to install an Add-On to get any options at all. Want to change keyboard shortcuts? Add-on. Want to actually be able to manage your sessions? The "built-in" session manager... yeah it can't do that, go get another add-on.
  • the third party web-based service chosen by Mozilla (with some back slash )

    ...or just the usual standard of proofreading we've come to expect around here?

  • and use Chromium. It's 100% FLOSS (Firefox no longer is because of all the third-party binaries integrated therein), doesn't choke to death on memory leaks, and the default telemetry collection (spyware) is just as invasive as Firefox's.
  • by Mr. Droopy Drawers ( 215436 ) on Tuesday August 18, 2015 @01:39PM (#50341191)

    The word you're looking for is B-A-C-K-L-A-S-H. I think backslash is an alternate universe of Slashdot...

  • As many have said, it is insane to save things related to your personal interests on an anonymous server. Most of us have trilobytes of hard drive space available--so use it. Also, few web pages are worth saving due to the 30% devoted to content, 70% to obnoxious noise. So, some cleanup is desirable.

    Here's what works on my Mac (YMMV): I find an interesting page that I haven't time to study right now so my first choice is to Copy the text and Paste it into a text editor. Perhaps there are pictures and charts

Trap full -- please empty.

Working...