Security researchers have identified several vulnerabilities in how apps open and handle URLs, leading to 1-click code execution actions that don’t require user input.
It’s easy to think that a simple action like opening an URL in an application doesn’t pose much of a security problem, but that’s not really the case. Apps opening up URLs without proper precautions is a problem that affects all operating systems.
No matter the OS, the danger is pretty much the same. Attackers can manipulate URLs in such a way that allows them to run code on the targeted device. If the message is crafted to take advantage of existing vulnerabilities, one-click code execution is no longer out of reach.
“For any given software, [we] check all features where user-supplied values are opened as URLs (e.g. hyperlinks),” said the researchers from Positive Security. “If the feature, under the hood, uses the OS to handle the opening and allows arbitrary schemes without comprehensive warning messages, there is likely a way to exploit the feature on certain platforms.”
The researchers looked at multiple operating systems and popular apps in their effort to identify the misbehaving ones. Telegram Desktop Application for Windows/Linux/Mac OS was among the apps they checked out, and they discovered a number of problems, one of which was already sort of reported back in 2015 but remained unfixed until a few months ago.
The team also discovered a problem in VLC and reported the vulnerability in January, and fixed it in a subsequent patch, but the one in Wireshark was much more straightforward.
“The QT based Wireshark packet analyzer application makes some fields which contain URLs double-clickable,” said the team. “These URLs were simply passed to QDesktopServices::openUrl, allowing for exploitation via malicious capture files or the live capture of maliciously crafted traffic.”
Other investigated apps included Bitcoin/Dogecoin wallets, Mumble, LibreOffice, OpenOffice and even the famous WinSCP, all of which had security issues regarding the use of external URLs. Since this is a multifaceted problem, it needs to be addressed from multiple sides, the OS, frameworks and apps themselves.