Electron.js Version, Insecure Web Preferences, In-app Navigation

[masood]

Summary:

The HTTPS Checker Desktop Application uses an old version of Electron.js, with insecure web preferences, and does not include checks on in-app navigation.

Platform(s) Affected:

MacOS, Windows, Linux

Steps To Reproduce:

1. Open the HTTPS Checker Desktop Application with --remote-debugging-port=8315. In your Chromium-based browser, navigate to localhost:8315 and interact with the application via the DevTools console.
2. [Navigate to Malicious Site] Within the address bar, update the location, to say, `window.open = “https://malicious.com”. This site loaded within the renderer process now has access to Node.js libraries.
3. [Access Node.js Libraries] Within the console, execute require(‘child_process’).execFile(‘/Applications/Emacs.app’”) – observe that, if installed on the system, the Emacs opens. Essentially, any malicious code that runs in the renderer process can compromise the user’s underlying system.

–

Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

[stilliard]

Hi @masood

Interesting, to help us rate the issue could you explain an example where the user would be vulnerable without opening themselves up with the remote debugging?

Other than convincing a user with social engineering to open with remote debugging enabled via the cli, which at that point you could have them run most anything through the cli anyway, i'm unsure why a user would use remote debugging with this app.

Thanks & appreciate the report!