The decision to implement Mozilla Pocket in all versions of Firefox once drew criticism from security experts and ordinary users. The extension is not disabled and can not be removed in any way. The problem even issued as a ticket in the issue tracker Bugzilla, but the developers of Mozilla does not make concessions, and left as a part of Pocket Extension for Firefox.
Now critics had another argument. In Pocket Extension for Firefox found multiple vulnerabilities. Although the developers have released patches for them, but it once again proves that the enlargement may be more harm than good.
Pocket for saving web pages and read later on your computer or mobile device. It is enough to show him the URL – and the document is saved for later.
Specialist security Ruoho Clint (Clint Ruoho) tried to “feed» Pocket custom links.
- file: /// etc / passwd
- ssh: // localhost
- telnet: // localhost: 25
Unsuccessfully. But lucky the other link.
Pocket Server has received the request and sent a response.
Apache Server Status for 127.0.0.1 Server Version: Apache / 2.2.29 (Unix) DAV / 2 Server Built: Mar 3:50:17 December 2015 Current Time: Tuesday, 28-Jul-2015 10:07:45 CDT Restart Time: Tuesday, 28-Jul-2015 03:20:12 CDT Parent Server Generation: 12 Server uptime: 6 hours 47 minutes 32 seconds Total accesses: 241913 - Total Traffic: 4.1 GB CPU Usage: u1209.24 s110.06 cu0 cs0 - 5.4% CPU load 9.89 requests / sec - 177.5 kB / second - 17.9 kB / request 40 requests currently being processed, 14 idle workers ...
Further more. It turned out that Pocket uses in his work Amazon EC2. The service has a service function EC2 Instance Metadata and User Data, which is accessed locally without authentication. But if you send the correct URL «to preserve” in Pocket, it is just such a request and run locally by giving the hacker the service metadata about the virtual machine: Zone type instance, the network type, MAC-address, information about the connected storage device.
Perhaps the most dangerous vulnerability connected with processing of redirects crawler Pocket. If you send a link that points to a redirect to the
file: /// etc / passwd, then Pocket download the same
file: /// etc / passwd on the server.
HTTP / 1.1 301 Moved Permanently Location: file: /// etc / passwd Content-Length: 52 Date: Tue, 28 Jul 2015 18:42:58 GMT Connection: keep-alive Moved Permanently. Redirecting to file: /// etc / passwd
Same story with the file
file: /// proc / self / status, which gives information about running processes.
Firefox users have the question arises whether such a “leaky” in the browser extension?