Little Doctor zero day: violate chat applications

Little Doctor: Hackers who wish to gain access to popular συνομιλιών (chat) για να χρησιμοποιήσουν την κάμερα και τον ήχο των χρηστών μπορούν να το κάνουν πολύ εύκολα με τη χρήση ενός worm που δημοσιεύθηκε .

At this time it is still zero day, which means that the security gap has not been repaired. Little Doctor

The framework, named “Little DoctorIs a super weapon that can violate JavaScript-based chat applications. So many popular chat applications are at risk because of their architecture. Services that have been developed in Electron, or that contain a built-in webview, are in a very difficult position.

Let's mention that the Rocket Chat application provided a patch of 13 hours after revealing, and Ryver within a day. And the Slack application makes use of WebViews, however, it seems to be safe.

Ο Αυστραλός hacker Shubham Shah και ο πρώην συνάδελφός Matt Bryant, ανέπτυξαν το framework worm και βρήκαν ένα Microsoft Azure Storage Explorer zero day.

“Αυτό το worm είναι cross-platform, και μπορεί να κλέψει αρχεία από όποια εφαρμογή έχει πρόσβαση στα APIs του WebRTC, και τα APIs” δήλωσε ο Moloch στο Kiwicon hacking held in Wellington.

The team uncovered the error in Microsoft, but after 90 days, it did not receive a response.

Το τρίο δεν σταμάτησε εκεί, αφού βρήκε και απέδειξε το στις εφαρμογές Rocket Chat και Ryver, μετατρέποντας μια επίθεση cross-site σε remote code execution για τα container .

See PoC and download Little Doctor

The Little Doctor framework is available in GitHub for all security researchers and penetration testers. The Best Technology Site in Greecefgns

Subscribe to via Email

Subscribe to this blog and receive notifications of new posts by email.

Written by giorgos

George still wonders what he's doing here ...

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).