2 min read

One-Click Remote Code Execution Vulnerabilities Found in Multiple Popular Apps

Silviu STAHIE

April 16, 2021

One-Click Remote Code Execution Vulnerabilities Found in Multiple Popular Apps

Security researchers have identified several vulnerabilities in how apps open and handle URLs, leading to 1-click code execution actions that don”t require user input.

It”s easy to think that a simple action like opening an URL in an application doesn”t pose much of a security problem, but that”s not really the case. Apps opening up URLs without proper precautions is a problem that affects all operating systems.

No matter the OS, the danger is pretty much the same. Attackers can manipulate URLs in such a way that allows them to run code on the targeted device. If the message is crafted to take advantage of existing vulnerabilities, one-click code execution is no longer out of reach.

“For any given software, [we] check all features where user-supplied values are opened as URLs (e.g. hyperlinks),” said the researchers from Positive Security. “If the feature, under the hood, uses the OS to handle the opening and allows arbitrary schemes without comprehensive warning messages, there is likely a way to exploit the feature on certain platforms.”

The researchers looked at multiple operating systems and popular apps in their effort to identify the misbehaving ones. Telegram Desktop Application for Windows/Linux/Mac OS was among the apps they checked out, and they discovered a number of problems, one of which was already sort of reported back in 2015 but remained unfixed until a few months ago.

The team also discovered a problem in VLC and reported the vulnerability in January, and fixed it in a subsequent patch, but the one in Wireshark was much more straightforward.

“The QT based Wireshark packet analyzer application makes some fields which contain URLs double-clickable,” said the team. “These URLs were simply passed to QDesktopServices::openUrl, allowing for exploitation via malicious capture files or the live capture of maliciously crafted traffic.”

Other investigated apps included Bitcoin/Dogecoin wallets, Mumble, LibreOffice, OpenOffice and even the famous WinSCP, all of which had security issues regarding the use of external URLs. Since this is a multifaceted problem, it needs to be addressed from multiple sides, the OS, frameworks and apps themselves.

tags


Author



Right now

Top posts

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Supply Chain Attack Detected in PyPI Library Supply Chain Attack Detected in PyPI Library
Silviu STAHIE

August 02, 2021

1 min read
Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel Scam baiter Jim Browning bamboozled by scammers into deleting his own YouTube channel
Filip TRUȚĂ

August 02, 2021

3 min read
Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million Instagram influencer Hushpuppi admits his part in scams that stole more than $24 million
Graham CLULEY

July 30, 2021

2 min read