This Week in Security: Google Photos, Whatsapp, and Doom on Deskphones

Google Photos is handy. You take pictures and videos on your cell phone, and they automatically upload to the cloud. If you’re anything like me, however, every snap comes with a self-reminder that “the cloud” is a fancy name for someone else’s server. What could possibly go wrong? How about some of your videos randomly included in another user’s downloads?

Confirmed by Google themselves, this bug hit those using Google Takeout, the service that allows you to download all your data from a Google application, as a single archive. Google Photos archives downloaded between November 21 and November 25 may contain videos from other users, according to a notice sent to the users who downloaded said archives. It’s notable that those notices haven’t been sent to users who’s videos were exposed.

Whatsapp

Whatsapp has been in the news for a couple reasons in the last few days. I’ll leave it to you to decide if the stories are related. First, Jeff Bezos seems to have had some of his accounts or devices compromised by Saudi agents. The popular theory is that a video sent over Whatsapp contained an exploit, which when downloaded on Bezos’ iPhone, resulted in a persistent compromise. This theory seems to be supported by an analysis by FTI.

Reading through the report is… underwhelming. The video they suspect to have been the compromise vector wasn’t ever successfully decrypted. No actual Indicators of Compromise were found, and no maliciously changed systems files were identified. The closest thing to a smoking gun found in the report is the vast amounts of outgoing data observed after the potential compromise. There are questions about the usefulness of that metric, and Robert Graham does a good job debunking the report.

Whatsapp *has* had several high profile vulnerabilities that could have been used to pull off an attack like this. Which brings us to the topic of vulnerabilities in Whatsapp, so here’s one in the desktop app.

[Gal Weizman] discovered a weird Whatsapp problem in 2017. When using the web interface, and sending a message that quoted a previous message, it was possible to manipulate the message being quoted, putting words in someone’s mouth. He found it amusing, but eventually came back to take a more serious look at what he’s found. He discovered that he could also hijack the link preview banner, giving him a cross site scripting attack. That would be a serious enough vulnerability in itself, but not content with XSS, [Gal] took things one step further.

Whatsapp offers a native desktop app, using the Electron framework. Electron essentially lets you package a web app in native form. Under the hood, it’s simply a browser bundled with the web-based code. A consequence of Electron is that a XSS vulnerability will likely work in an Electron app as well. This was no exception, and since Whatsapp was shipping their app with an ancient version of Electron, an old Chrome vulnerability was still present, resulting in a viable RCE that escapes the Electron app.

Whatsapp has released updates that address these issues, so if you have desktop Whatsapp installed, go make sure it’s up to date!

I got Phished

You’re familiar with haveibeenpwned.com. Have you ever thought to yourself, if only there was a service that alerted me when one of my domains showed up in phishing attack…. I Got Phished is the service for you. It’s intended for a company’s security team to sign up with the company domains. When an email address from one of those domains shows up in a phishing database, the team gets an email alerting them.

All it takes to sign up is the abuse@, postmaster@, noc@, or security@ email address for the domain you want to monitor. So gmail users, you’re out of luck. If you run your own domain, then maybe it’s worth signing up for the service.

Cisco Security DOOMed by CDPwn

A series of smart locks made by Nortek Security & Control has a vulnerability that is now being actively exploited. A PHP endpoint on those devices failed to sanitize inputs properly, runs as root, and can be used to run arbitrary commands. “card_scan+decoder.php” is accessible over http, and anything in the “door” parameter is executed as root. The active attack uses wget to grab a file from a remote server and run that file.

To exploit this flaw remotely, the endpoint has to be accessible, which means that only devices with a public IP addresses are vulnerable so far. The limited IPv4 address space and widespread usage of NAT has once again blunted the impact of a really serious vulnerability. It will be interesting to watch what happens with the growing popularity of IPv6, as more and less secure devices get their own IP addresses.

Doom on a Desk Phone

Researchers at Armis have published their research into Cisco hardware under the name CDPwn, inspired by Cisco’s CDP (Cisco Discovery Protocol). The interesting details are available in their whitepaper, but before we get to that, take a moment to watch the video embedded below, as it combines a couple of our favorite things here at Hackaday: security vulnerabilities, and running Doom on unexpected hardware.

Cisco manufacturers hundreds of different devices, and one of their selling points is interoperability. You plug a Cisco phone into a Cisco switch, and they do some autoconfiguration magic, setting up proper VLANs, etc. Many of these features depend on proprietary Cisco protocols, and one of the most important is CDP. This layer-2 protocol allows devices to communicate with each other, regardless of what VLAN they’re set to. After looking at previously discovered CDP flaws, the guys at Armis got to work. Their first discovery was a Denial of Service attack. A packet informing a neighboring device about addresses lacked a reasonable upper bound on the number of addresses described. An incoming packet could claim to be describing three billion addresses, and the target device would simply crash trying to allocate enough memory to handle the packet.

One surprising discovery is that the CDP implementation seems to be built from scratch for different Cisco product lines. While this means that a single vulnerability can’t be leveraged across every device, it does suggest that more vulnerabilities will exist overall, and will take longer to fix. In VoIP phones, for example, the PortID TLV (Type-LengthValue) is copied into a static buffer without proper length checks. It’s a trivial buffer overflow, easily leading to exploitation.

Cisco has firmware updates available for the affected devices. These aren’t particularly sophisticated attacks. It appears once again, that a reputable brand name doesn’t guarantee quality code running under the hood.