lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 29 Sep 2013 22:15:38 GMT
From: guillaume@...aryfactory.ca
To: bugtraq@...urityfocus.com
Subject: [CVE-2013-5725] - Byword for iOS Data Destruction Vulnerability

- Affected Vendor: http://metaclassy.com/
- Affected Software: Byword for iOS
- Affected Version: 2.x prior to 2.1
- Issue Type: Lack of validation/user confirmation leading to destruction of data
- Release Date: 29 Sept 2013
- Discovered by: Guillaume Ross 
- CVE Identifier: CVE-2013-5725
- Issue Status: Vendor has published version 2.1 which adds a confirmation prompt to prevent the issue.

**Summary**

Byword is a text editor for iOS and OS X that can use iCloud or Dropbox to sync documents. 

Byword supports actions through X-URLs on iOS.
One of the supported action replaces a file with the value passed through the URL.

**Description**

The Replace file action in the affected version does not warn the user and replaces the content of the target file with text specified in the X-URL.

The attacker must know the path to the file, but considering iCloud does not have subfolders, it makes it easier to guess filenames such as "todo.txt" file or an "important.txt" file, or the attacker could have received a file created by the victim using Byword and  can guess the filename from the title. 

**Impact**

The file can be overwritten and the data could be lost permanently.

**Proof of Concept**

	byword://replace?location=icloud&path=&name=Important.txt&text=haha

This URL would replace the content of the file "Important.txt" in the user's iCloud container for Byword with "haha". By using iframes, the attacker can embed this attack in a web page. Safari on iOS will automatically launch Byword and overwrite the file.

	<iframe src="byword://replace?location=icloud&path=&name=Important.txt&text=haha"></iframe>

**Response Timeline**

- August 26 2013 - Vendor notified
- August 26 2013 - Vendor acknowledges vulnerability
- September 18 2013 - Update released that adds a warning/confirmation screen
- September 29 2013 - Advisory released

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ