The cross-site scripting (XSS) susceptibility plus various supply chain operations greatly impact on the Linux marketplaces, which are located on the Pling platform. This is the outcome of a study carried out by the German cyber security practice Positive Security.
Pling is vital as it enables the establishment of free and open-source software (FOSS) outlets that are utilized in distributing software, themes, plus additional content, which may not be accessible via different transmission channels.
The co-founder to the cyber security consultancy company Positive Security, who goes by the name Fabian Braunlein found out that the XSS attack is serious, since the wormable XSS impacts all the marketplaces based on Pling platform. The XSS attack cannot be overlooked since it is responsible for the onset of the supply chain adversities.
Cross-Site Scripting Attack
The cross-site scripting (XSS) comprises a security vulnerability commonly associated with web applications. The attack is often client-sided, which implies that the parties at risk are the web application users.
The XSS attack occurs when a cyber attacker executes a malicious script in the victim’s web browser. The attacker does this by injecting a harmful code into a valid web application.
The attack does not occur immediately, but takes place when the user turned victim, goes to the infected web page or application. Hence, the web-application injected with the malicious code becomes the transmitter of the malicious scripts, which are taken to the victim’s browser.
Impact of XSS Flaw
The impact of XSS is very widespread and continues to affect the web application users. The research outlines some of the impacts of the XSS flaw as follows.
One of the impacts is that of listing modification. This occurs when the malicious code has already been executed in the Pling platform. Modification of listing is whereby the list of web applications in the marketplace are altered such that the list of applications is revised or changes introduced.
Moreover, the XSS flaw can add new applications. The Pling store will therefore have more applications than expected. This is very risky as the modification or addition of new applications can be open up a window for abuse in a supply chain flak.
In the supply chain affliction, the attacker will upload a backdoor application and alter the victim’s listings’ metadata such that the metadata comprises the malevolent payload.
Even though the issue of listing modification was originally observed in the KDE Discover Marketplace, it has been found to impact on FOSS application stores found in Pling. Some of the FOSS apps include appimagehub.com, gnome-look.org, store.kde.org, xfce-look.org, and the pling.com.
The PingStore App
The PlingStore application is an electron application. The research revealed that a remote execution of a code, which can be executed through any browser, impacts this inherent PlingStore app.
PlingStore app functions as a display site for websites. Also, it provides users with the ability to install software easily by just clicking on it once only.
Moreover, the research stipulates that it has a mechanism that enables it to run code on the level of OS. That mechanism enables whichever website to operate arbitrary code.
The arbitrary running of codes emanates from the local WebSocket server i.e. the ocs manager, which is often launched when the app is commenced. Also, the local WebSocket server executes varied functions by listening to commands emanating from PingStore app.
Browsers do not practice the policy of the same origin, for the web socket links. This, therefore, necessitates the importance of validating the origin server-side, and the enactment of more authentication through the WebSocket linkages.
However, the opposite happens with regards to the ocs manager, which implies that
Provided the PlingStore is operating, susceptibility can be executed from whichever malicious website clicked on the browser.
The researcher, Braunlein states that he tried contacting Pling to act responsibly by exposing the weakness, but got no rejoinder. However, he successfully contacted KDE Discover plus Gnome Shell Extensions innovators, who were swift to respond to the issue at hand.
Source : HackerCombat