Ruoho: Multiple Vulnerabilities in Pocket
On his blog, Clint Ruoho reports on multiple vulnerabilities he found in the Pocket service that saves articles and other web content for reading later on a variety of devices. Pocket integration has been controversially added to Firefox recently, which is what drew his attention to the service. "The full output from server-status then was synced to my Android, and was visible when I switched from web to article view. Apache's mod_status can provide a great deal of useful information, such as internal source and destination IP address, parameters of URLs currently being requested, and query parameters. For Pocket's app, the URLs being requested include URLs being viewed by users of the Pocket application, as some of these requests are done as HTTP GETs.These details can be omitted by disabling ExtendedStatus in Apache. Most of Pocket's backend servers had ExtendedStatus disabled, however it remained enabled on a small subset, which would provide meaningful information to attackers." He was able to get more information, such as the contents of /etc/passwd on Pocket's Amazon EC2 servers.(Thanks to Scott Bronson and Pete Flugstad.)