A vulnerability in the playback and editing tool for GoPro Studio leaves user data susceptible to attack by making update requests over the open web using unencrypted HTTP connections researchers at Pentest Partners recently discovered, according to a report in Forbes.
The company also sends the updates themselves to users as unencrypted traffic. An attacker using the same network, such as a public WiFi connection, could intercept an update request and in response promise to deliver a higher version, even if new updates weren't actually available. The victim's software recognises the response and allows the victim to download the phony update, potentially exposing all data to malware.
Ken Munro, partner at Pentest Partners, told Forbes that unencrypted updates are common across applications and that all firms should look to ensure that their updates are protected.