A new vulnerability has been discovered in GoPro Studio, GoPro’s playback and editing tool available to millions of users. A hacker could hijack the editing tool requests sent out to the web over an unencrypted HTTP. The hacker could then send users a message offering an upgraded version of GoPro Studio and if users downloaded it, they would in reality be downloading malicious code.
Tim Erlin, director of IT security and risk strategy at Tripwire says while this is not a new type of attack, just using HTTPs is not necessarily a fix for this issue. Please find the full remarks below.
Tim Erlin, director of IT security and risk strategy at Tripwire:
“Delivering a malicious update file is certainly not a new type of attack. Validating software in a way that’s effective and usable continues to be a problem for the industry. Users have been tricked into installing malicious software in a variety of ways, from compromise of the actual source to a simple email attachment.
To exploit this vulnerability, an attacker would have to control the users DNS resolution, and the user would have to ignore Microsoft’s software validation warnings to install the file.
The use of HTTPS isn’t really a fix for this issue, though it increases the difficulty for the attacker. If we assume that a user will click through software validation warnings, an attacker could take control of their internet connection to deliver malicious updates, or simply email them the file to install.”
[su_box title=”About Tim Erlin” style=”noise” box_color=”#336588″]Tim Erlin is a Director of Product Management at Tripwire, and is responsible for the Suite360 product line including Vulnerability Management, Configuration Auditing, and Policy Compliance. Previously, in his nearly 10 year tenure at nCircle, he has also held the positions of Senior Sales Engineer and QA Engineer. Tim’s career in information technology began with project management, customer service, as well as systems and network administration. Tim is a member of ISSA, and frequently hosts corporate webinars on various topics, including regulatory compliance.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.