Quote Tweet
protip: it is not the reporter's responsibility to explain to you exactly why a bug is exploitable
especially not when it's one of the most well-documented threat vectors in all of security
Show this thread
1
5
10
Conversation
This Tweet was deleted by the Tweet author. Learn more
This Tweet was deleted by the Tweet author. Learn more
If they had proper signature verification including prevention of downgrade attacks it wouldn't be needed for the baseline update security, but it's still useful. An attacker modifying the traffic could still do things like a disk space DoS by providing an infinite size file.
1
They could make it robust against that kind of disk space exhaustion too, but I still think it's a good idea to use HTTPS, ideally via system libraries that get updated automatically and aren't going to be adding any real attack surface since it's already heavily used / exposed.
1
Other than pretending an update is available and then serving an old release for a downgrade attack, an attacker also has the opportunity to serve the description of the update to trick the user into installing malware which is vaguely similar to github.com/spesmilo/elect.
One way to prevent downgrade attacks would be having signature verification of the metadata (the other being checking that the metadata inside the update matches), which would deal with that. It's easiest to start with HTTPS and then perfect all these things over time though.