Tag archives for bug

RTFM 0day in iOS apps – Algorithm.dk

RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc. – Algorithm.dk.

I’ve been talking and writing about this for about a year, and this is another GREAT set of examples and techniques.
If you want to see examples as well as help on how to find these, I highly recommend that you watch my presentation, which I have just posted as well.

[CVE-2013-5726] – Tweetbot for iOS and Mac user disclosure/privacy issue

  • Affected Vendor: http://tapbots.com/
  • Affected Software: Tweetbot for Mac, iPad and iPhone
  • Affected Version: Mac: 1.3.3 – iPad: 2.8.5 – iPhone: 2.8.5
  • Issue Type: Lack of user confirmation leading to Twitter action revealing the user’s Twitter identity
  • Release Date: November 1, 2013
  • Discovered by: Guillaume Ross
  • CVE Identifier: CVE–2013–5726
  • Issue Status: Vendor has published version 3 for iPhone which resolves the issue. Vendor has confirmed the fix is in the Mac and iOS V2 codebase and should be released soon.

Summary

Tweebot is a Twitter client for Mac and iOS. Separate iOS versions exist for iPhone and iPad.

Tweetbot has a URL Scheme/association on all versions that allows actions to be triggered from within other applications. The supported actions can be viewed at http://tapbots.com/blog/development/tweetbot-url-scheme

Description

The actions related to following and favoriting do not prompt the user before performing the action. Additionally, Safari in iOS warns the user that an application will be launched only when the URL is used directly, but not when the URL is used within an inline frame. This makes the attack function without requiring user interaction.

 

Tweetbot URL Vulnerability on iOS

Impact

A user browsing the web could click a malicious link or load a page containing a malicious link within an inline frame. The user would then favorite a tweet or follow a user account on Twitter. The attacker can use this action to identify the user browsing the page, to gather followers or to have the victim follow people they would be embarrassed to be associated with.

Proof of Concept

tweetbot:///follow/justinbieber

This URL would have the user follow Justin Bieber. By embedding it in an inline frame, the attack is automated on iOS and on Mac.

<iframe src="tweetbot:///follow/justinbieber"></iframe>

Response Timeline

  • August 27 2013 – Vendor notified
  • August 27 2013 – Vendor acknowledges vulnerability
  • October 24 2013 – Tweetbot v3 for iPhone is released and resolves the issue
  • October 31 2013 – Vendor confirms the fix is in the V2 and Mac code base and will be released soon
  • November 1 2013 – Vulnerability Disclosed

Temporary workaround for the Mac version

Ensure that your browser does not automatically launch Tweetbot.

 

Here is a sample in Firefox.

Tweetbot Prompt in Firefox

 

[CVE-2013-5725] – Byword for iOS Data Destruction Vulnerability

[CVE–2013–5725] – Byword for iOS Data Destruction Vulnerability

  • Affected Vendor: http://metaclassy.com/
  • Affected Software: Byword for iOS
  • Affected Version: 2.x prior to 2.1
  • Issue Type: Lack of validation/user confirmation leading to destruction of data
  • Release Date: 29 Sept 2013
  • Discovered by: Guillaume Ross
  • CVE Identifier: CVE–2013–5725
  • Issue Status: Vendor has published version 2.1 which adds a confirmation prompt to prevent the issue.

Summary

Byword is a text editor for iOS and OS X that can use iCloud or Dropbox to sync documents.

Byword supports actions through X-URLs on iOS.
One of the supported action replaces a file with the value passed through the URL.

Description

The Replace file action in the affected version does not warn the user and replaces the content of the target file with text specified in the X-URL.

The attacker must know the path to the file, but considering iCloud does not have subfolders, it makes it easier to guess filenames such as “todo.txt” file or an “important.txt” file, or the attacker could have received a file created by the victim using Byword and can guess the filename from the title.

Impact

The file can be overwritten and the data could be lost permanently.

Proof of Concept

byword://replace?location=icloud&path=&name=Important.txt&text=haha

This URL would replace the content of the file “Important.txt” in the user’s iCloud container for Byword with “haha”. By using iframes, the attacker can embed this attack in a web page. Safari on iOS will automatically launch Byword and overwrite the file.

<iframe src="byword://replace?location=icloud&path=&name=Important.txt&text=haha"></iframe>

Response Timeline

  • August 26 2013 – Vendor notified
  • August 26 2013 – Vendor acknowledges vulnerability
  • September 18 2013 – Update released that adds a warning/confirmation screen
  • September 29 2013 – Advisory released

Corrected in 2.1 with this prompt

Confirm Replace

Confirm Replace

Removing broken links from sidebar in Lion

A very small post for people searching about this specific issue:

You’re trying to delete an icon/shortcut from the sidebar in Finder, under Mac OS X Lion/10.7.

Right clicking doesn’t work, because that folder does not exist, or maybe it points to a share using an old version of AFP or SMB that you can’t connect to, because some company that almost has the same name as a famous dog if you pronounce it in french is a bad company that doesn’t update the firmware on any hardware old enough to have a lot of important data on it.

What you need to do is hold command and drag it to Trash instead of doing a right click.

Swedish Greys - a WordPress theme from Nordic Themepark.