The Hacker News Logo
Subscribe to Newsletter

Multiple Flaws Exposed in Pocket Add-on for Firefox

With providing easy accessibility, the battle is not won!

Server-side Vulnerabilities have been reported by a security researcher in the popular Pocket add-on that comes attached with the Firefox browser.

The security flaws could have allowed hackers to exfiltrate data from the company’s servers as well as populate reading lists with malicious links.

The Pocket button in the Firefox browser allows you to save links, videos, web pages, or articles to your Pocket account with just a click, making it easier for you to read them later, usually offline.

However, the vulnerabilities discovered by security researcher Clint Ruoho was such that it could allow hackers to get an unrestricted root access to the server hosting the application, the researcher wrote in his blog post.

For this to be done, a hacker only needs:
  • A browser
  • The Pocket Mobile app
  • Access to an Amazon EC2 Server which costs 2 cents an hour
The researcher, with the goal of exploiting the service's main functionality, was able to add a server internal address in the 'Read it Later' user list.



This could give an attacker access to the following sensitive server information:
  • IAM credentials
  • The server's internal IP address
  • Network type
  • The SSH Private Key that is being needed to connect without password
With the help of this information, it would be possible to gain unrestricted access, allowing hackers to read every file on the filesystem with root-level privileges on the back-end server.

Ruoho reported Read It Later, which owns Pocket, about the vulnerabilities he found and asked for a patch.



In response to the issues, the company issued a quick remediation and asked Ruoho to delay his full exposure of the vulnerabilities report by 21 days.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.