The AchieVer Posted June 6, 2019 Share Posted June 6, 2019 Remote attack flaw found in IPTV streaming service The bug could be used by hackers to intercept your streaming and steal your information. A critical remote execution flaw has been found in a Ukrainian TV streaming device manufacturer which, if exploited, granted attackers the power to seize control of the streaming service and content on display. According to Check Point Research, Infomir -- a Ukrainian IPTV (Internet Protocol Television), OTT (Over-the-Top) and VoD (Video-on Demand) content streaming provider was the source of the security flaw. On Wednesday, researchers said in a blog postthat Infomir's web management platform, Ministra -- also known as Stalker -- is used to manage set-top boxes (STBs). The platform acts as a conduit between consumer STBs and television service providers which buy into the platform. Ministra does require authentication to access -- but a logic problem ballooned into a major security vulnerability which removed this protection. The team was able to circumvent the demand for authentication and seize control of some admin AJAX API functions due to a sanitization key failure, leading to the potential for SQL and PHP Object injection and the remote execution of code. Check Point says that it is difficult to estimate the full impact of the security flaw, but as over 1000 content providers and resellers are connected to Ministra, there would likely be a "very high" number of worldwide customers which may have been impacted. "In order to receive the television broadcast, the STB connects to the Ministra and service providers use the Ministra platform to manage their clients," the researchers say. "The risks would be their entire customer database of personal information and financial details could be stolen, as well as allowing an attacker to potentially stream any content they choose on to the screens of their customer network." The vulnerability was first discovered and reported in 2018 and was patched prior to public disclosure in Ministra version 5.4.1. However, as some service providers may not have applied the fix, the vulnerability has also been reported to the CTA Forum. Source Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.