KIWICON Hackers everywhere can now more easily compromise popular chat apps to steal users' webcam and audio feeds using a worm framework published online - and they even have a new zero day to help the plundering.
Many popular chat apps therefore suffer because of their architecture, rather than specific vulnerabilities. Services built on Electron, or that contain an embedded webview, are in trouble.
Rocket Chat issued a patch in 13 hours after disclosure, Ryver within a day. Slack does use webviews however it appears to be safe.
Aussie hacker Shubham Shah together with US-based Moloch of Bishop Fox, and former colleague Matt Bryant, developed the framework and found the unpatched Microsoft Azure Storage Explorer zero day.
"This is a cross-platform worm where we can steal files access the WebRTC APIs, and the Cordova APIs," Moloch told the Kiwicon hacking conference in Wellington.
"Little Doctor is written in a modular fashion - all you need is your own propagation module and you can create a worm on basically any platform you want.
"As soon as the code starts it launches a new channel, sets the topic to the exploit code, and starts scraping and inviting people."
Shubham Shah and Moloch. Image: Darren Pauli / The Register.
The team attempted to disclose the bug to Microsoft but after 90 days did not receive a response.
The trio did not stop there, and found and demonstrated since patched exploits against Rocket Chat and Ryver, turning in a new class of attack cross-site scripting into remote code execution for the container apps.
In each attack the trio stole sensitive files and spread the attack using messages they say could infect whole organisations gaining arbitrary native code execution.
Their attack bypassed operating system defences including data execution prevention and address space layout randomisation.
The Little Doctor framework is available on GitHub and is published for the benefit of security researchers and penetration testers. ®