This article originally appeared in SC Magazine on December 17, 2018.
Logitech apparently has patched a vulnerability in its Options app found by a Google Project Zero researcher in September and which could have been exploited by hackers to orchestrate keystroke injection attacks.
Researcher Tavis Ormandy first discovered the Options app, which lets users customize their keypads, mice and touchpads, opening a WebSocket server, which he said in an alert had “zero type checking of properties, so it crashes like crazy.”
After first puzzling over how to notify Logitech, Ormandy met with company engineers on Sept. 18 and was assured “they understood the issues and were planning to add Origin checks and type checking.” However, an Oct. 1 release didn’t seem to address the issue, he wrote in making his findings public on Dec. 11.
The company tweeted that it had fixed the bug in Logitech Options 7.00.
“The Logitech Options bug illustrates how apps are being developed without adequate attention to security and privacy. The fact that it took more than 90 days to develop a patch and communicate it to the public, and only after a Google security researcher threatened to make the bug public, is unacceptable,” said Pat Ciavolella, digital security and operations director for The Media Trust. “With more than 7,000 employees and revenues in the billions, Logitech should have the resources to design apps with security in mind, test those apps for any bugs before they are publicly launched, and fix any bugs as soon as they are reported.”
Ciavolella said as laws like “GDPR and California’s Consumer Privacy Act spring up and take effect around the globe, “app providers who want to protect their brand and revenues should prepare themselves for new thresholds for security and privacy.”