Security News > 2022 > November > A flaw in ConnectWise Control spurred the company to make life harder for scammers

A vulnerability in popular remote access service/platform ConnectWise Control could have been leveraged by scammers to make compromising targets' computers easier, Guardio researchers have discovered.

By abusing the fully-featured 14-day trial option for that hosted cloud service, scammers are already taking advantage of the platform at no cost, but the vulnerability could have allowed them to remove an alert that can break the illusion the scammers are trying to create.

ConnectWise Control is a solution often used by managed and IT service providers and support and help desk teams to remotely connect to clients' machines, troubleshoot the problem and fix what needs fixing.

To add to the problem, the alert that the trial version shows to end users - advising them to be careful to whom they are allowing access and control of their device and notifying them that the ConnectWise Control solution in use is a trial version - can be easily removed by exploiting a stored cross-site scripting vulnerability in the web application.

"The webapp admin has control over text and images stored on the servers and served as part of the portal webapp to any visitor. For most of the customizable textual elements, there is decent validation and sanitation," the researchers found.

The researchers have notified ConnectWise about this simple yet powerful vulnerability earlier this year, and the company fixed it in v22.6 of the solution by correctly sanitizing the Page.Title element.

News URL

https://www.helpnetsecurity.com/2022/11/23/connectwise-control-vulnerability-scammers/