Yellow Flag<p>I doubt that many of my followers are familiar with Xunlei Accelerator, this application being mostly used in China. I came across it due to its popular Chrome extension with 28 million users. I looked into the security of this applications and… security? What security?</p><p><a href="https://palant.info/2024/03/06/numerous-vulnerabilities-in-xunlei-accelerator-application/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">palant.info/2024/03/06/numerou</span><span class="invisible">s-vulnerabilities-in-xunlei-accelerator-application/</span></a></p><p>An overview:<br>· Program installation directory writable by any user.<br>· The built-in browser is based on a three years old Chromium.<br>· That browser exposed a powerful internal API to arbitrary websites (⇨ code execution among others).<br>· This browser could also be opened by any website loaded in the user’s regular browser, without any user interaction.<br>· XSS vulnerabilities in the display of messages in the main application, despite using React (⇨ code execution).<br>· Electron’s renderer sandboxing effectively rendered ineffective.<br>· Local webserver using “authentication” based on a “secret” hardcoded string. <br>· Plugin installation can be triggered by any website (⇨ code execution).<br>· Plugin list downloads via insecure HTTP connection (⇨ code execution).<br>· Rudimentary HTTP client used in some places, with memory safety issues and recognizing exactly two server responses.<br>· Tons of outdated third-party code, including (but not limited to) two years old FFmpeg, twelve years old libpng and eight years old zlib.</p><p>The vendor fixed the most obvious ways to exploit these issues. With the communication being spotty to say the least, I don’t know whether they plan to do more.</p><p><a href="https://infosec.exchange/tags/Xunlei" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Xunlei</span></a> <a href="https://infosec.exchange/tags/applicationsecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>applicationsecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>infosec</span></a> <a href="https://infosec.exchange/tags/vulnerabilities" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>vulnerabilities</span></a> <a href="https://infosec.exchange/tags/rce" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>rce</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
en.osm.town is one of the many independent Mastodon servers you can use to participate in the fediverse.
An independent, community of OpenStreetMap people on the Fediverse/Mastodon.
Funding graciously provided by the OpenStreetMap Foundation.
Administered by:
Server stats:
267active users
en.osm.town: About · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.7
#xunlei
0 posts · 0 participants · 0 posts today
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload