Little Doctor: hackers wishing to gain access to popular messaging applications (chats) in order to use the camera and sound of users can do so very easily by using a worm published online.

At present it is still zero day which means that the vulnerability has not been fixed.

The framework, named «Little Doctor» is a super weapon that can violate chat applications based on JavaScript. Many popular chat applications are at risk due to their architecture. Services developed in Electron, or that contain an embedded webview, are in a very tough position.

The Rocket Chat application allocated a patch 13 hours after the discovery, and Ryver within a day. The Slack application uses WebViews, but, it appears to be safe.

The Australian hacker Shubham Shah and former colleague Matt Bryant, developed the worm framework and found an unpatched zero day Microsoft Azure Storage Explorer.

“This is a cross-platform worm, and can steal files from any application that has access to the APIs of WebRTC and Cordova APIs» said Moloch in Kiwicon hacking conference held in Wellington.

The group revealed the error to Microsoft, but still after 90 days, has still not received a response.

After having found and demonstrated the exploit at Rocket Chat and Ryver applications, they turned an attack cross-site scripting into remote code execution for container apps.

Watch PoCs and download Little Doctor

The Little Doctor framework is available at GitHub for all security researchers and penetration testers.


Find out how to protect yourself and business at: