Jump to content

Security flaw in Logitech app allowed for keystroke injection attacks


Recommended Posts

After ignoring a bug report from Google's Project Zero security team, Logitech has finally released a security patch for one of its apps after waiting three months.

The vulnerability was discovered in the company's Options app that allows users to customise the functionality and behaviour of the buttons on their mice, keyboards and trackpads.

Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user's machines back in September.

The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot.

Keystroke injection attacks

Ormandy offered further details on how the bug he discovered in Logitech's software could be used to take control of a user's system in a bug report, saying:

"The only 'authentication' is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the 'crown' to send arbitrary keystrokes, etc, etc.,"

Ormandy informed Logitech about the issue in September and while the team acknowledged the bug report, it never released a patch to rectify the issue.

If a company has not issued a patch for a security issue after 90 days, Project Zero's policy is to publicly disclose the vulnerability which Ormandy did this week.

The bug report gained attention amongst security researchers on Twitter and Logitech has since released a new version of Options to address the issue.

Via ZDNet

http://feeds.feedburner.com/~r/techradar/software-news/~4/hPvyd-yqebU
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...