The Deck Desktop Application uses insecure web preferences and does not restrict in-app navigation

Question

The Deck Desktop Application uses insecure web preferences and does not restrict in-app navigation

masood opened this issue a year ago · comments

Mir Masood Ali commented a year ago

Summary:

The Deck Desktop Application uses insecure web preferences and does not restrict in-app navigation.

Platform(s) Affected:

MacOS, Linux, Windows

Steps To Reproduce:

Open the Deck Desktop Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
[Navigate to Malicious Site] Within the console, update the location, say, `window.open = “https://malicious.com”. The Deck Desktop application window is navigated away from the application’s intended page.
[Access Node.js Libraries] Within the console, execute require(‘child_process’).execFile(‘/Applications/Emacs.app/Contents/MacOS/Emacs’”) – observe that, if installed on the system, the Emacs opens. Essentially, any malicious code that runs in the renderer process can compromise the user’s underlying system

Deck uses an old version of Electron.js. It is recommended that updated versions of the framework be used to take advantage of secure defaults and security fixes.

--

Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago

Naba Kumar Das · Answer 1 · Mon Oct 30 2023 20:52:01 GMT+0800 (China Standard Time)

Hi @masood ,
Thank you for using DECK, noted we are updating the next release.