Doh! WikiLeaks' PDF viewer springs XSS vuln

Just link directly to the docs, says frustrated surfer


Wikileaks' Flash-powered PDF reader has sprung a vulnerability or two.

The whistle-blowing website uses an open source Flash library called FlexPaper to display PDF files. Unfortunately various coding errors left FlexPaper open to cross site scripting and content spoofing.

Developers behind the open source web based document viewer software have developed a patch to resolve the bugs.

“We have confirmed this XSS security vuln in our GPL flash viewer and patched it. New version: http://static.devaldi.com/GPL/FlexPaper_2.3.0.zip,” FlexPaper told El Reg. “Most Flash security holes were patched in flash version 9 and FlexPaper requires Flash 11 but we have confirmed this XSS.”

The discovery of the bugs by security researcher Francisco Alonso has provoked http://www.wikileaks-forum.com/security-support/608/-flexpaper-pdf-viewer-used-on-wikileaks-org-presents-security-risk-for-users/32700/msg66862#msg668621:3 on WikiLeaks' forums that the vulnerabilities might be abused to de-cloak users, threatening the privacy of WikiLeaks users in the process.

Hackers (state sponsored or otherwise) might use Flash components specifically to de-cloak users. It might also be possible to post links to external content as part of attempts to (further) discredit WikiLeaks. Issues similar to the use by the Feds of Metasploit modules to uncover the identities of Tor users are feared.

“Given the fact that most browsers use plugins to enable the reading of PDFs, we strongly urge Wikileaks to link directly to PDF files instead of using third party software that could put users at risk,” a WikiLeaks forum member advised.

WikiLeaks did not respond to our requests for comment. ®


Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading

Biting the hand that feeds IT © 1998–2022