Logitech leaked into Options software that gave sites access to keyboard

Dec

14

2018

Logitech has announced a new version of its Logitech Options software on Thursday in which it has closed a vulnerability in the software. The vulnerability allowed websites to access the keyboard of users.

Googles Project Zero researcher Tavis Ormandy reported earlier this week that Logitech Options opens a webserver server on port 10134, without applying an origin check. The server is related to the sdk of the Craft Crown , a turntable for the wireless Craft keyboard that, for example, enables specific Photoshop functionality through plug-ins. Logitech Options offers management options for keyboards and mice.

The only authentication for access to the web socket server is a process id from Windows, but it is too bruteforcen, according to Ormandy. Websites would thus be able to send commands to the Options software and configure the turntable.

The security researcher found the vulnerability on 12 September but could not find a way to inform the Logitech security team. That succeeded on September 18 anyway after which that team went to work to close the leak. When this had not yet happened on 11 December, Ormandy decided to publish. On Thursday Logitech made version 7.00 available . With the release notes, the company only reports that there are ‘bug fixes’, but on Twitter Logitech emphasizes that the vulnerability has been corrected with this version.

Logitech Craft Crown

Viewing:-139

In: A Technology & Gadgets Asked By: [23254 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »