Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×

Submission + - Multiple Vulnerabilities in Pocket

Submitted by vivaoporto
vivaoporto writes: Clint Ruoho reports on gnu.gl blog the process of discovery, exploitation and reporting of multiple vulnerabilities in Pocket, the third party web-based service chosen by Mozilla (with some backslash) as the default way to save articles for future reading in Firefox.

The vulnerabilities, exploitable by an attacker with only a browser, the Pocket mobile app and access to a server in Amazon EC2 costing 2 cents an hour, would give an attacker unrestricted root access to the server hosting the application.

The entry point was exploiting the service's main functionality itself — adding a server internal address in the "read it later" user list — to retrieve sensitive server information like the /etc/passwd file, its internal IP and the ssh private key needed to connect to it without a password. With this information it would be possible to SSH into the machine from another instance purchased in the same cloud service giving the security researcher unrestricted access.

All the vulnerabilities were reported by the researcher to Pocket, and the disclosure was voluntarily delayed for 21 days from the initial report to allow Pocket time to remediate the issues identified. Pocket does not provide monetary compensation for any identified or possible vulnerability.

Comment Re:At that price point, not much... (Score 5, Insightful) 116

by imac.usr (#48477305) Attached to: Ask Slashdot: Best Drone For $100-$150?

You'll be getting crap for $100-150. Sorry, but you will. Now that being said, I have found a Syma x5C from Banggood for $63.51 CAD and has a 2MB camera. http://www.banggood.com/Syma-X... [banggood.com] and it's not bad for a beginner but it's going to get broken and then you'll be pissed off.

Not as fucking pissed off as he will be when his $400 drone crashes, eats a prop, gets caught in a gust of wind and wanders out to sea, etc. etc. It's much better to start with a $60 Hubsan or Syma and get some inexpensive practice flying in before moving up to something Phantom-level.
Media

Submission + - Washington Post fires mobile team (huffingtonpost.com) 1

Submitted by imac.usr
imac.usr writes: The Huffington Post is reporting that The Washington Post has gone through yet another round of layoffs, but this time instead of cutting editorial positions, they're apparently cutting IT positions, specifically in the mobile applications department. According to Washington, DC media blog FishbowlDC, 54 people, including the General Manager of Mobile and Director of Mobile Products were given the axe on Valentine's Day. A particularly damning quote from the FishbowlDC article: '“[CIO and VP Shaliesh] Prakash thinks these are ‘inefficiencies’ – that is the exact word he uses for human beings who are not useful according to him,” said a source who spoke only on condition of anonymity. “Get rid of experienced people to save money, under the garb of streamlining is the new trend inside the Post.”'

Given that mobile products seem somewhat more likely to succeed than printed newspapers, this seems a strange decision at best.

Slashdot Top Deals

"Money is the root of all money." -- the moving finger

Close