A server-side vulnerability found in the save-for-later service would have allowed attackers to gain access to all user data and even populate their reading lists with malicious links.
Because the bookmarking app had poor networking design, the researcher was able to retrieve user information relating to IP addresses, saved URLs, and – with the help of some redirects – access to the etc/passwd file that contains a list of the system’s accounts.
“Applications similar to Pocket require some logic to handle HTTP redirects on links [and] I added a link to my queue that resulted in a somewhat malicious redirect,” wrote researcher Clint Ruoho. “After refreshing the Pocket app on my Android phone, the (reading) list included file:///etc/passwd. Clicking on the item revealed the full contents of /etc/passwd.”
Exploiting more than one vulnerability, the researcher believes an attacker could have grabbed the etc/passwd file as well as SSH private keys from the auto-provisioned EC2 user’s home directory, obtained internal IP addresses, and even SSH into the private IP addresses for Pocket’s backend server by using the SSH private key.
“They could have compromised the Pocket application and gained access to all of Pocket’s user data, and in theory manipulated it so that it synchronises to user devices,” said Miller. “They could do things here like redirects to client-side exploits. There’s also a privacy concern here too if people are saving links off their corporate intranet to Pocket that contain internal documents or authentication credentials.”
Following responsible disclosure, the vulnerability has been fixed and users should be safe now. However, the researcher believes it was lucky for Pocket that a responsible researcher offered to help, even if the company has no bug bounty program.