Multiple Vulnerabilities Exposed In Pocket

vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

Vulnerability in my pocket

[nospam007]

There's a vulnerability in my jacket pocket too, it's called a 'hole'.

Re:Vulnerability in my pocket

[vivaoporto]

Actually that would have been a marvelous title for this submission: "Multiple holes found in Pocket".

Re:

[Anonymous Coward]

There's a vulnerability in my jacket pocket too, it's called a 'hole'.

Holes are what happen when you put backslashes in pockets. Expect there to be some backlash.

Re:

[pr0nbot]

Darn it!

Security 101

[OverlordQ]

These seem like pretty basic things to get wrong.

Re:Security 101

[gstoddart]

Well, in my experience Security 101 is something most people either don't know, or don't bother with.

A tremendous amount of stuff comes out as "oooh, look ... shiny", and then you quickly discover security was kind of slapped on at the end, or not done at all.

I've just started assuming that if someone says "hey, I have this thing which uses the network" that it's got security problems.

Sadly, I keep getting proven right.

Re:

[Tablizer]

Often there is a deadline, perhaps unrealistic, pushing people to take risks. If you want it badly, that's how you'll get it.

Re:

[gstoddart]

And this is why I think corporations need to have some liability for crap security.

None of this "we forgot", or "it's too hard", or "the CEO insisted on it this way" ... no license which says "this software probably sucks, deal with it".

Until then, pretty much every product will be release with bad/non-existent security.

I've been a developer, and I understand deadlines and the like. But then we see instances where the company never fixes things.

Far too much of it really is companies just being lazy and ind

Re:

[Darinbob]

The real excuse: "it would cut into our profits!"

Re:

[Tablizer]

liability for crap security

It's an interesting idea that has been floated many times, but it may not be practical to implement without greatly increasing the cost of software because it would create layers of "CYA processes".

Users and society don't want to pay that premium so far. Quality software (UI aside) has always been hard sell when weighed against features with consumers. I don't know of a way to change human nature. (Unless, you push The Button and give cockroaches a chance.)

Re:

[Sowelu]

Increasing liability might reduce the amount of bad software out there, but only because it would reduce the amount of software out there, period.

Re:Security 101

[Darinbob]

I never understood the whole concept of Pocket. It's still baffling. I suspect the biggest security hole comes from the fact that it's being marketed to people who just don't care about security anyway and use it because it's new rather than applying any critical thinking.

Re:

[Eythian]

It's where you put things you want to read later. That's its concept. It's quite useful if you want to read things, but maybe don't have time right now.

It also saves them offline, so you can load it up with stuff to read on that flight or subway trip, or whatever.

Re:

[gl4ss]

what's really baffling is why a read it later (offline) service is a web service in the first place.

mozilla should have gone with just something that just saves them locally.. sync them with some web service after that if you want.

Re:

[Eythian]

The idea is that this works across devices etc. You can read on the web or in an app or whatever. It's hard to do that without some kind of service.

If it just saved things locally, then it would be a lot less useful.

No

[Anonymous Coward]

Stop with the stupid integrated cloud services. It's a fucking web browser, if I want to use a web service I will GO THERE MYSELF.

Re:

[Anonymous Coward]

Speaking of that, how do I completely disable Pocket in Firefox? I've set browser.pocket.enabled to false, but I still have an entry at the top of the Bookmarks menu for "View Pocket List." No! I don't want to "View Pocket List" and I don't need that option in the menu. I'm never going to use this feature, let me fully remove it, please.

Re:

[soap_and_dish]

All you have to do is remove the icon. Here [mozilla.org].

Yes I don't like the Pocket integration either, but it's temporary, does no harm if you don't use it, and, this story inclusive, probably does no harm even if you do use it. It's just a useless icon. Get rid of it and put it behind you.

Re:

[flacco]

Personally, because I'm too lazy to find an alternative solution for what FoxyProxy does.

I'm drifting that way though.

Re: Why is anyone still running Firefox?

[Anonymous Coward]

Quite simply: It's not Google.

Re:

[Nikademus]

Except that none of those are portable either. Firefox just runs on almost any OS you want it to run on.

Re:

[KGIII]

Might I recommend Opera? It is built on Chromium but strips out all the privacy invading crap that Google has. It is open, it is free, and it is pretty good. You can use extensions from Opera or even Google so you have a lot of choices. It is stable as all hell. It has a temporary save state so when you POST data you can press back and make changes to your input. It is quick, easy, and ranks very well in a number of tests. It is also seemingly gaining market share.

I have been using Opera since the days that

Re:

[sims 2]

Is there something wrong with kwikset locks I should know about?

The last time I was broken into they cut through a double roof (it used to be a flat top) broke out a window and climbed through the bars to get out.

He also broke the glass out of a unlocked display case to take one item.

A few thousand dollars in damage for a $300 gun. Afaik the guy is still in jail. Although I don't think on that charge.

Re:

[sims 2]

Thanks for the information we use the kwikset classics. while that is worrying I don't think anything will be done about it until crooks go back to using doors.

One of the business in town even had the doors stolen from the front of their building nothing else just the doors. http://www.sequoyahcountytimes... [sequoyahcountytimes.com]

You can still see the boot print on one of our doors from when someone tried to kick it in a few years ago might have even worked to if it hadn't been sealed off after a car ran into it a few years prior

Re:

[ecsyle]

I would love to use Firefox for more than web dev. At this point I consider all web browsers to be crap and look forward to the next Firefox-like browser to shake things up.

Re:

[Anonymous Coward]

Because it doesn't shit itself every 5 minutes unlike Chrome

For the better part of a year I thought my OS was becoming unstable because of the non-stop crashing / memory leaks and general failure of Chrome to do anything, then I switched back to Firefox (after probably 8 years or so of abandonment) and discovered that it not only ran better but rarely crashed. The UI is pretty nice as well

It's not perfect but then, what is

Re: Why is anyone still running Firefox?

[Anonymous Coward]

The vulnerability affects the backend Pocket webserver (and the AWS account that the Pocket servers run in).

I don't see how this affects me personally just because I use Firefox as a web browser.

Re:Why is anyone still running Firefox?

[mujadaddy]

Why is anyone still running Firefox?

I haven't met a privacy concern I can't address yet with Firefox, whereas with Chrome I can only cover about 50% of the issues. I don't agree with the Set of Recent Distraction Additions, but with Firefox I can at least get robust control over every bit of my browsing experience. [NoScript, Cookie Whitelist, uMatrix, +hosts blacklist, in case you were curious. No Adblocker required. [extremetech.com]]

Re:

[OverlordQ]

You still havent named anything you can do in Firefox you can't do in Chrome. All those exist as equivalent chrome extensions.

Re:Why is anyone still running Firefox?

[Tablizer]

1) Plugin choice, 2) It's not (quite) corporate-ware like Chrome etc.

Re:

[TechyImmigrant]

Why is anyone still running Firefox? (Other than those of us who need to a keep a copy around for web dev.)

Because

dnf install firefox works.
dnf install chrome does not.

Re:

[Darinbob]

Alternatives? Chrome is even worse regarding it's update schedules. Anything from Microsoft is just right out and is unportable. Safari just feels wrong to me. The question is rhetorical though, I don't need to hear from the opera fans and advocates of something goofy. Firefox does the job, allows plugins to increase security and decrease malware, and is open source (but using idiot management, but that's true for all other browsers on the planet).

Because of many misfeatures in Chrome

[Ungrounded Lightning]

There were several in the version of Chrome the IT department installed.

The straw that broke the camel's back for me was the inability to remove a typo-squatting, not-safe-for-work, website address from the drop-down autocomplete suggestions in the address bar.

Old style

[Anonymous Coward]

I'm really old-style. I bookmark the sites I regularly visit and that's it. I don't need this level of "continuity" (also referencing the Apple feature).

Maybe I don't miss what I don't know or maybe I don't care about what I miss. Besides, these days web sites are mostly story aggregators so there's probably not a whole lot of original content to miss.

Re:

[DrVxD]

Firefox already has the mechanism to save pages for later (bookmarks)

A bookmark saves the *location* of a page, not the content. Next time you open that bookmark, the content may have changed (e.g most news sites' home pages are updated several times a day as new content is added)
Pocket, on the other hand, saves a "snapshot" of the content of the page as-is. Next time you go to it, it'll have the same content.

Re:

[Eythian]

That's not what it's for. It's not for bookmarking things you visit regularly, that's what bookmarks and history are for. It's for saving articles you want to read later. Personally, I find that bookmarks suck for that as it's not their use case.

Then you go on about how most content isn't original and what's the point anyway. What are you even doing reading slashdot then? Seriously, your "I don't understand how this works, and it's probably useless anyway now get off my lawn" head-in-sand ignorance is somet

Should not be any default

[drinkypoo]

Like all the other crap that's been added to our "browser", there should not be any default.

If you want to save a web page for later perusal on the same device, you can use Scrapbook Plus [mozilla.org]. It works. (If you want to install it on a recent browser and not an extended support release, scroll down and install from the development channel.)

bookmarks?

[Anonymous Coward]

Am I missing something, or is there absolutely no point in this "Pocket" service? To save articles to read later? Isn't that what bookmarks are for? To save these across multiple computers? Chrome does that for me already... And I'm still not sure what they mean by making it readable offline later? Is it saving an entire copy of the article on the server? Wouldn't you still require ONLINE access to actually get these files or are they shadowed to your local device to?

If that's the case, there's this amazing "save as" option in most browsers, even "offline mode". None of these give anyone root access to anything. The thing is full of holes and apparently fills a niche for what, 1 guy too lazy to bookmark stuff? WTH

I don't get the point of this software at all. And I find it pretty insane that a system to merely let you save articles to read later would somehow gain root priv. What the heck is going on in the backend to allow that?

Re:

[Anonymous Coward]

That's an impressive rant, but personally I find it very useful, because of the mobile app. I click 'Add to Pocket' and the service grabs the content, strips out all the ads/fluff/sidebars/styling to leave a mobile-friendly article and caches it on my phone so I can read it whenever, even without a network connection, which is usually the case since I normally read things when I'm on trains.

Re:

[drinkypoo]

I appreciate the ease of use argument, but with not too much more effort one could use a tool like hacktheweb to remove the crap (usually pretty easily, in fact) and then print the result to a PDF.

Re:

[Eythian]

PDFs are not good for reading on mobile devices, not even counting the extra effort to get it there. And why would you expend that effort when you could ... not?

I'm all for decreasing reliance on closed services, and I think Firefox building this in isn't a move consistent with their principles, but pocket is quite useful and functional tool.

Re:

[drinkypoo]

PDFs are not good for reading on mobile devices, not even counting the extra effort to get it there.

No problems here. Get a better mobile device.

And why would you expend that effort when you could ... not?

Because I don't trust third party services. That lack of trust is obviously well-founded. I prefer to use fewer of them as a result.

Re:

[Eythian]

No problems here. Get a better mobile device.

No. That's a terrible answer with no thought behind it at all. Some people like their phone with a 3 inch screen. PDFs are not a format for display in all manner of layouts. You're just being silly.

Because I don't trust third party services. That lack of trust is obviously well-founded. I prefer to use fewer of them as a result.

Most people don't care. Also, most people aren't so technically inclined to build every service they might want from the ground up, or want the hassle of going through and manually moving files between things. If you're not the target market, fine. But don't try to apply your own perspectives onto everyone else.

Cloud

[Archangel Michael]

I'm getting to the point of just assuming that anything in the Cloud is insecure. That assumption makes security so much easier. There is no security.

Re:

[Cro Magnon]

^This! There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

Re:

[Fnord666]

There have been leaks in the Cloud since even before the Cloud had anything to do with computers.

Does that make it a rain Cloud?

Some backslash?

[Anonymous Coward]

Everybody knows forward slashes are the way to go.

*This* is why Mozilla needs to stand down....

[QuietLagoon]

Mozilla has been viewing Firefox like a kitchen sink, dumping everything into it.

The backlash has caused Mozilla to take a step back and re-evaluate things. But is it too little too late?

To me it looks as if Mozilla is in circle the wagons mode, being super defensive across the board. Constructively critical reviews about add-ons are being removed, apparently to keep the ratings in the 4 to 5 range for add-ons. Messages documenting problems are being removed in the support forums. (I saw one message that described a problem similar to the one I was having. When I went back to re-read it a day later, it had been removed.)

It looks like Mozilla has made its transition to a bloated corporation complete. They now appear to be in the "control the message" mode of operation.

Re:

[CrashNBrn]

Opera didn't face less negativity over their capitulation... but the only place to raise the issues was on the Opera Forums|Blog... Those "platforms" are actively censored... as well Opera ASA nixed "MyOpera" and all of its 10+ year content - including user-created Opera Documentation|Tips.
Fuck Opera.

Re:*This* is why Mozilla needs to stand down....

[QuietLagoon]

...People seem to just like being negative about Firefox....

Not really. Mozilla has earned all the grief it receives for what it has done to Firefox.

.
Firefox has been losing marketshare as a result of what Mozilla has been doing to Firefox. Mozilla needs to take its head out of its collective arse and realize that people complain about Firefox because they like the way Firefox was, i.e., not bloated but functional, sleek and a driver of standards.

Nowadays, Firefox's marketshare is getting dangerously close to the point where it no longer can be a driver of web standards.

Your message paints Firefox as the victim of mean people who just hate it. Until Mozilla realizes and acknowledges what is really going on, i.e., people who liked Firefox want to see it return to its former glory, Firefox will continue to move towards the has-been of browsers.

Re:

[andymadigan]

It's not hypocritical. If Firefox starts taking on all of the "downsides" of Chrome, then the equation changes. Now the question is, what does Chrome have that Firefox doesn't? What does Firefox have that Chrome doesn't?

On Mac, I use Safari. On Windows, I use Chrome, not FF. Why? Because FF can not seem to *get out of the fucking way* and let me browse.

Every time it updates I have to close the stupid update page. On first install, I lost count of the number of prompts I had to close before I could just use

Re:

[KGIII]

Maybe Firefox should stick to making a core browser that works and is secure. Then forks can make alternative versions with all the bells and whistles as needed. I do not really have a solution but that is what comes to mind.

Re:

[CrashNBrn]

Firefox isn't even remotely close to "kitchen-sink". You have to install add-ons for the most basic "tab options"... actually you pretty much have to install an Add-On to get any options at all. Want to change keyboard shortcuts? Add-on. Want to actually be able to manage your sessions? The "built-in" session manager... yeah it can't do that, go get another add-on.

Vague attempt at subliminal advertising

[shabble]

the third party web-based service chosen by Mozilla (with some back slash )

...or just the usual standard of proofreading we've come to expect around here?

Abandon ship

[LichtSpektren]

and use Chromium. It's 100% FLOSS (Firefox no longer is because of all the third-party binaries integrated therein), doesn't choke to death on memory leaks, and the default telemetry collection (spyware) is just as invasive as Firefox's.

backslash... Really?

[Mr. Droopy Drawers]

The word you're looking for is B-A-C-K-L-A-S-H. I think backslash is an alternate universe of Slashdot...

Clean it up & save on your own drive.

[swell]

As many have said, it is insane to save things related to your personal interests on an anonymous server. Most of us have trilobytes of hard drive space available--so use it. Also, few web pages are worth saving due to the 30% devoted to content, 70% to obnoxious noise. So, some cleanup is desirable.

Here's what works on my Mac (YMMV): I find an interesting page that I haven't time to study right now so my first choice is to Copy the text and Paste it into a text editor. Perhaps there are pictures and charts