AccuPOS Point of Sale Vuln - Insecure "Authenticated Users: Modify"

Home | Research | Resources | Advisories | AccuPOS

AccuPOS

Incorrect Permission Assignment for Critical Resource

CVE ID

CVE-2018-15809

VENDOR

AccuPOS, Inc.

PRODUCT

AccuPOS

Product version

Version, 2017.8

Vulnerability Details

The AccuPOS Point Of Sale Application is installed with the insecure "Authenticated Users: Modify" permission for files within the installation path. This may allow local attackers to compromise the integrity of critical resource and executable files.

Learn More →

Vendor response

AccuPOS has not remediated the vulnerability.

Disclosure timeline

02-27-2018 - Disclosed to Vendor
03-27-2018 - Follow up via Email
04-09-2018 - No response from vendor
06-03-2018 - Publicly disclosed at BSides ATL

OH the POSsibilities:
AN IN-DEPTH REVIEW OF POINT OF SALE SYSTEM SECURITY

Given the delicate nature of Point-of-Sale, security standards have been created to protect consumers from malicious actors. However, evidence shows that these standards are not enough to completely thwart the threat of card data compromise. Get the Guide →