Incident Response, Malware, TDR, Vulnerability Management

Unencrypted GoPro updates leave users vulnerable to attack

A vulnerability in the playback and editing tool for GoPro Studio, by making update requests over the open web using unencrypted HTTP connections, leaves user data susceptible to attack, researchers at Pentest Partners recently discovered, according to a report in Forbes.

The company also sends the updates themselves to users as unencrypted traffic. An attacker using the same network, such as a public wifi connection, could intercept an update request and in response promise to deliver a higher version, even if new updates weren't actually available. The victim's software recognizes the response and allows the victim to download the phony update, potentially exposing all data to malware.

Ken Munro, partner at Pentest Partners, told Forbes that unencrypted updates are common across applications and that all firms should look to ensure that their updates are protected. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.