HomesecurityHow can WinZip be used by hackers?

How can WinZip be used by hackers?

Server-client communication on certain versions of the WinZip file compression tool is unsafe and could be modified to deliver malicious content to users.

WinZip is a long-term utility for Windows users with file archiving needs in addition to the support built into the operating system.


The tool, which was originally released about 30 years ago, now has versions for MacOS, Android and iOS, as well as a corporate version that adds collaboration features. According to its website, the application has more than one billion downloads.

WinZip is currently in version 25, but earlier versions controlled the server for updates through an unencrypted connection, One weakness that could be exploited by a hacker.

Martin Rakhmanov of Trustwave SpiderLabs detected traffic from a vulnerable version of the tool to show this unencrypted Communication.

Given the precarious nature of the communication channel, Rakhmanov says traffic can be "stolen, manipulated or hijacked" by an intruder on the same network with the WinZip user.

One risk arising from this action is DNS poisoning, which misleads the application into retrieving a fake update from a malicious web server.

"As a result, the unsuspecting user can start arbitrary code "It's like a valid update," Rakhmanov said in a post today.

In vulnerable versions of WinZip, an attacker could gain some potentially sensitive information, such as Username and the registration code.

Rakhmanov says that communication with cleartext It is also used to display pop-ups informing users who are running the free trial version of WinZip how much time they have left for testing.

The content in the popup is HTML that retrieves JavaScript. This allows an attacker to network to expose users to arbitrary content which appears to come directly from WinZip servers.

The researcher says that this scenario also comes with the risk of executing arbitrary code on his machine victim, because WinZip offers some "powerful" API on JavaScript.

In version 25 of WinZip, no communication with cleartext. Recommended to users to upgrade to the latest version of the application.

However, many users cannot download the current version because upgrades are payable. The standard WinZip costs $ 35,64 and the Pro version $ 59,44.

If software upgrades are not an option, users are advised to disable them information checks.




Please enter your comment!
Please enter your name here

Teo Ehc
Teo Ehc
Be the limited edition.