Firefox bookmarks extended application Pocket: vulnerability mining is not that difficult

Firefox bookmarks extended application Pocket: vulnerability mining is not that difficult

Pocket application developers recently fixed several data leakage vulnerabilities. Hackers can obtain WEB services, internal IP addresses, and more sensitive information from the server.

Introduction to Pocket

Pocket, formerly known as Read it Later, is an online bookmarking application that allows users to save and Manage Links to good articles seen on the Internet.

Security researcher Clint Ruoho described the vulnerability of the application in a blog on Tuesday. He claims that when Pocket security was investigated in early June, Firefox developers added it as a common extension.

Several vulnerabilities in detail

Ruoho noticed that Pocket uses an intranet proxy for some functions. By sending a request to apache on the server, he found that its mod_status would leak some information about the Pocket user, including "intranet resources, target IP addresses, request URL parameters and query parameters ".

This means that if ExtendedStatus is enabled in apache, attackers can use the GET request to determine which articles are being read or saved by other users.

Ruoho told reporters on Wednesday:

"On the status page returned by the server, because the Pocket server enables ExtendedStatus, after a request is sent to the server, the server returns the first 60 characters or a complete GET request, there are URL links read or saved by other users in the Pocket."

In addition, Ruoho also found that he can obtain metadata from the Pocket server without authentication. The data exists on Amazon cloud host service (EC2.

This vulnerability may allow attackers to obtain web application authentication information and other information about Pocket, such:

Identity authentication credential availability region instance type network type MAC address additional storage block details

The most worrying thing about the vulnerability detected by Ruoho is that, if a malicious attacker intentionally places a redirection link in the Pocket, attackers may be able to read arbitrary files on the Pocket server as root. In the case presented by Ruoho, the poc "file: // etc/passwd" was used, which is easily replaced with other attack vectors.

Since Pocket uses a EC2-Classic-type server, users in the US-EAST-1 region can access ports 22 and 80 of the Pocket's EC2-Classic server.

Pocket vulnerability postscript

Ruoho said that although these vulnerabilities sound a bit difficult to mine. You only need a browser or a mobile app in a Pocket for manual testing. This does not require any other tools or scripts.

However, Mozilla still retains the Pocket feature in Firefox and fixes the issue accordingly.

Fortunately, although there is no corresponding reward policy, Pocket is a more responsible application. During the Ruoho review, it was found that official technicians had fixed the vulnerability quite quickly.