Some of Our Sources
- Simplebits
- The Logo Smith
- Spoon Graphics
- Creative Curio
- FanExtra - PSD
- Specky Boy
- CSS Tricks
- Spyre Studios
- Willems Lab
- Hashedout
Help Webnuz
Referal links:
August 18, 2015 06:00 pm
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/2MmU--O3cKg/multiple-vulnerabilities-exposed-in-pocket
Multiple Vulnerabilities Exposed In Pocket
vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox. The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application. The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access. All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.Read more of this story at Slashdot.
Original Link: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/2MmU--O3cKg/multiple-vulnerabilities-exposed-in-pocket
Share this article:
Tweet
View Full Article
Slashdot
Slashdot was originally created in September of 1997 by Rob "CmdrTaco" Malda. Today it is owned by Geeknet, Inc..More About this Source Visit Slashdot