Skip to main content

Security flaw in Logitech app allowed for keystroke injection attacks

(Image credit: Image Credit: Logitech)

After ignoring a bug report from Google's Project Zero security team, Logitech has finally released a security patch for one of its apps after waiting three months.

The vulnerability was discovered in the company's Options app that allows users to customise the functionality and behaviour of the buttons on their mice, keyboards and trackpads.

Google security researcher Tavis Ormandy first discovered that the app was opening a WebSocket server on user's machines back in September.

The server in question featured support for a number of intrusive commands and used a registry key to auto-start on each system boot.

Keystroke injection attacks

Ormandy offered further details on how the bug he discovered in Logitech's software could be used to take control of a user's system in a bug report, saying:

"The only 'authentication' is that you have to provide a PID [process ID] of a process owned by your user but you get unlimited guesses so you can bruteforce it in microseconds. After that, you can send commands and options, configure the 'crown' to send arbitrary keystrokes, etc, etc.,"

Ormandy informed Logitech about the issue in September and while the team acknowledged the bug report, it never released a patch to rectify the issue.

If a company has not issued a patch for a security issue after 90 days, Project Zero's policy is to publicly disclose the vulnerability which Ormandy did this week.

The bug report gained attention amongst security researchers on Twitter and Logitech has since released a new version of Options to address the issue.

Via ZDNet