Jump to content

Security flaw in Logitech app allowed for keystroke injection attacks


Recommended Posts

Posted

After ignoring a bug report from Google's Project Zero security team, Logitech has finally released a security patch for one of its apps after waiting three months.

The vulnerability was discovered in the company's Options app that allows users to customise the functionality and behaviour of the buttons on their mice, keyboards and trackpads.

Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user's machines back in September.

The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot.

Keystroke injection attacks

Ormandy offered further details on how the bug he discovered in Logitech's software could be used to take control of a user's system in a bug report, saying:

"The only 'authentication' is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the 'crown' to send arbitrary keystrokes, etc, etc.,"

Ormandy informed Logitech about the issue in September and while the team acknowledged the bug report, it never released a patch to rectify the issue.

If a company has not issued a patch for a security issue after 90 days, Project Zero's policy is to publicly disclose the vulnerability which Ormandy did this week.

The bug report gained attention amongst security researchers on Twitter and Logitech has since released a new version of Options to address the issue.

Via ZDNet

hPvyd-yqebU

View the full article

  • Like 1
  • Thanks 1
Posted

Ohhhhh well shit. My Logitech software was out of date. The genuises behind this software insured that my firmware on the mouse and keyboard were up to date but apparently doesn't check the software version (At least mine didn't). Thanks Dare!

 

This is where its located of course its not obvious and has a tiny arrow and not available in the settings or config screen...

image.thumb.png.2765632f47771bae0e5e718cfd767b66.png

  • Like 2
Posted

I'm already updated. Thanks for the info!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.