360 to expose vulnerabilities: 360 head set client permissions set incorrectly-360, 360 holes, 360-IT information 360 to expose vulnerabilities: 360 head set client permissions set incorrectly

Since 360 account exposes out exists "any user password modified" vulnerability Hou, clouds vulnerability platform again has white hat disclosure "360 cloud plate client permission set improper" vulnerability, impact all using 360 cloud plate of customer, known, in some situation Xia, user storage in 360 cloud plate in the of all content are will exposed, can was free browse and the download, caused serious of privacy leaked.

Previously, on November 26, the cloud hole landing with the white hat found 360 account system "arbitrary password change" vulnerability, use 360 account saved telephone, SMS, records and personal files are in the cloud may be browsing Downloads. Users also pointed out that this vulnerability has appeared in June 2012, belong to the "design/logic error", that is, at the beginning of the design can be avoided completely. Then 360 emergency response, recognized this vulnerability does exist and has been restored. However, we still don't quite understand why the 360 a year coming out twice in the same situations of vulnerability once again exposed 360 head hat has "improperly set client permissions" new vulnerability. Was twice exposed vulnerabilities, users are subject to privacy and data security in jeopardy.

Cyber security experts expressed concern, saying that "in some cases, a hacker can exploit this vulnerability can do whatever they want in a cloud of 360 user 360 user exists for others to easily spy on and even dangers of arbitrarily changing its content in the cloud. Recommends that the user 360 unpatched vulnerabilities prior to transfer important information in a timely manner in the cloud, so as not to cause unnecessary losses. "As of now, 360, this vulnerability has not yet been given any response and explanation.

360再曝漏洞：360云盘客户端权限设置不当 - 360云盘,360漏洞,360 - IT资讯
360再曝漏洞：360云盘客户端权限设置不当

自360账户曝出存在“任意用户密码修改”漏洞后，乌云漏洞平台再次有白帽子披露“360云盘客户端权限设置不当”漏洞，影响所有使用360云盘的客户，据悉，在某些情况下，用户存储在360云盘中的所有内容均会暴露，可以被随意浏览及下载，造成严重的隐私泄露。

在此前，11月26日，乌云漏洞平台上有白帽子发现360账号系统存在“任意用户密码修改”漏洞，使用360账号保存过的电话、短信、记录以及云盘中的私人文件均有可能被随意浏览下载。网友也指出此漏洞在2012年6月份就已出现，属于“设计缺陷/逻辑错误”，也就是说在设计之初完全可以避免。随后360紧急回应，承认该漏洞确实存在且已经在修复中。然而，就在大家还没搞明白360为何一年中两次曝出同一漏洞的情况下，再次有白帽子曝出360云盘存在“客户端权限设置不当”的新漏洞。被两次曝漏洞，均有可能造成用户隐私泄露，数据安全岌岌可危。

相关网络安全专家对此表示担忧，称“在某些情况下，黑客可利用此漏洞可在360用户的云盘中为所欲为，360云盘用户存在被其他人轻易窥探甚至随意改变其云盘中内容的危险。建议用户在360未修补漏洞之前将云盘中相关重要信息及时转移，以免造成不必要的损失。”截至目前，360还尚未对此漏洞给出任何回应与解释。