Security flaw in Logitech app allowed for keystroke injection attacks

(Image credit: Image Credit: Logitech)

After ignoring a bug report from Google's Project Zero security team, Logitech has finally released a security patch for one of its apps after waiting three months.

The vulnerability was discovered in the company's Options app that allows users to customise the functionality and behaviour of the buttons on their mice, keyboards and trackpads.

Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user's machines back in September.

The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot.

Keystroke injection attacks

Ormandy offered further details on how the bug he discovered in Logitech's software could be used to take control of a user's system in a bug report, saying:

"The only 'authentication' is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the 'crown' to send arbitrary keystrokes, etc, etc.,"

Ormandy informed Logitech about the issue in September and while the team acknowledged the bug report, it never released a patch to rectify the issue.

If a company has not issued a patch for a security issue after 90 days, Project Zero's policy is to publicly disclose the vulnerability which Ormandy did this week.

The bug report gained attention amongst security researchers on Twitter and Logitech has since released a new version of Options to address the issue.

Via ZDNet

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
Brad Pitt looks over his right shoulder with 'F1' written behind him
Apple Original Films will take you behind-the-scenes of a racing cockpit in this new thrilling F1 movie trailer
AI writer
Coding AI tells developer to write it himself
Reacher looking down at another character from the Prime Video TV series Reacher
Reacher season 3 becomes Prime Video’s biggest returning show thanks to Hollywood’s biggest heavyweight
Image showing detail of the Leica D-Lux 8
Still can't get a Fujifilm X100VI? This premium Leica compact costs less, and it's in stock
Man using iMessage on an iPhone
Apple will finally enable encrypted RCS messages between iOS and Android, and it's about time
Google Messages update
Google Messages could soon follow WhatsApp with an upgrade that makes it much easier to join group chats