Security Weekly 59: A Bug In WordPress 5.0 And Logitech Software, Facebook Photo Vulnerability
Just a week after the release of a large release of WordPress 5.0, the developers of the world’s most popular CMS released a patch covering a number of serious vulnerabilities (news).
In total, seven gaps were closed, the most serious in some configurations of WordPress makes it possible for search engines to index the new user activation page. The URL of the page contains an activation key, which makes it possible to leak user email addresses and in some cases even passwords that are automatically generated.
The problem was solved by transferring the identifier from the URL to the cookie. Vulnerability also affects version 4.x – version 4.9.9 has been released for those who for some reason are not ready to upgrade to WordPress 5.0. Three more XSS vulnerabilities theoretically allow already registered WordPress users to increase privileges, in one case thanks to editing admin comments. A vulnerability in PHP was also closed, allowing you to specify an arbitrary save path when loading a file. Researcher Sam Thomas spoke more at the BlackHat conference (PDF). A little more information about all closed vulnerabilities can be found in the Wordfence blog.
Facebook has leaked data again. Or they didn’t leak: last week the company told (news in the FB blog post) about a bug in the API that allowed third-party applications to access user photos. An error existed from 13 to 25 September. At this time, third-party applications, which users have already given access to photos on Facebook, could apply in general to all images of the account. Under normal conditions, access is given only to photos that the user publishes in his chronicle. For almost two weeks, the API was open to photos from stories, photos from the flea market and more. The saddest thing is that there was access to private snapshots, and even to those that the user never published anywhere, but uploaded to the social network.
Under the distribution got 6.8 million users. After the well-known discussions about the privacy of data collected by the social network, each news about another security hole has attracted much attention. Although in this case, nothing overly awful happened: they made a bug, found it, fixed it. The previous problem with the function of viewing the page on behalf of another user was more serious. As usual, Facebook with its vulnerabilities is not alone: after finding another problem on Google+, they decided to close this unhappy social network even earlier than planned.
Researcher Tavis Ormandy from the Google Project Zero team published (news, detailed report) details of a bug in the Logitech keyboard utility. A vulnerability in the Logitech Options utility was discovered back in September, after which the manufacturer fixed the problem for quite some time. And the problem is interesting. In general, this utility allows you to reassign buttons on the keyboard at the request of the user, and it was quite unexpected to find the attack vector there. It nonetheless exists: the application listens to commands on a specific TCP port and does not check at all where they came from.
Thus, it becomes possible to remotely manage the utility using the prepared web page. A similar problem (albeit, a bit more simple to use) was once widely observed among routers: they could be remotely administered without the knowledge of the user opening the page in the browser. Through the unclosed network interface, you can change the program settings, as well as transmit arbitrary sequences of characters on behalf of the keyboard, which theoretically can be used to gain control over the system.
And I was just about to buy some @Logitech meeting equipment for several rooms.
Guess I better don't, as they don't give a sh.. about users' security.
— Little Bobby Tables (@KiPos_info) December 12, 2018
The default utility runs when the system boots, which makes the problem even worse. The researcher published the information after the deadline, December 11th. Two after this, Logitech has released an updated version of the program, which seems to close the vulnerability. However, not everyone agrees with this statement.