Multiple Flaws Exposed in Pocket Add-on for Firefox

ID THN:15A3189B1C697566CFF4ECA0F0A571AF
Type thn
Reporter Khyati Jain
Modified 2015-08-21T21:10:50


With providing easy accessibility, the battle is not won!

Server-side Vulnerabilities have been reported by a security researcher in the popular Pocket add-on that comes attached with the Firefox browser.

The security flaws could have allowed hackers to exfiltrate data from the company’s servers as well as populate reading lists with malicious links.

The Pocket button in the Firefox browser allows you to save links, videos, web pages, or articles to your Pocket account with just a click, making it easier for you to read them later, usually offline.

However, the vulnerabilities discovered by security researcher Clint Ruoho was such that it could allow hackers to get an unrestricted root access to the server hosting the application, the researcher wrote in his blog post.

For this to be done, a hacker only needs:

  • A browser
  • The Pocket Mobile app
  • Access to an Amazon EC2 Server which costs 2 cents an hour

The researcher, with the goal of exploiting the service's main functionality, was able to add a server internal address in the 'Read it Later' user list.

This could give an attacker access to the following sensitive server information:

  • IAM credentials
  • The server's internal IP address
  • Network type
  • The SSH Private Key that is being needed to connect without password

With the help of this information, it would be possible to gain unrestricted access, allowing hackers to read every file on the filesystem with root-level privileges on the back-end server.

Ruoho reported Read It Later, which owns Pocket, about the vulnerabilities he found and asked for a patch.

In response to the issues, the company issued a quick remediation and asked Ruoho to delay his full exposure of the vulnerabilities report by 21 days.