Logitech Keystroke Injection Flaw Went Unaddressed for Months

Computer peripheral giant Logitech has finally issued a patched version of its Logitech Options desktop app, after being taken to task for a months-old security flaw. The bug could of allowed adversaries to launch keystroke injection attacks against Logitech keyboard owners that used the app. Google Project Zero security researcher Tavis Ormandy found the bug in September and publicly disclosed the vulnerability this week.

The Logitech Options app lets users customize the functions of their Logitech computer peripherals, including mice, keyboards and touchpads. Ormandy reported the flaw stems from the fact that the app opens up a WebSocket server that allows outside access to the app from any website, with minimal authentication. From there, a malicious actor could use a rogue website to send a range of commands to the Options app and change a user’s settings.

In addition, a malicious actor could send arbitrary keystrokes by changing some simple configuration settings. That in turn would allow a hacker to access all manner of information and even take over a targeted machine. Further, the app is set to auto-run upon boot-up, so users of the desktop app are essentially running Options persistently in the background – giving any attacker near-continuous access as long as the user’s machine is switched on.

Source: threatpost.com