Open sneak opened 2 hours ago
Note that between this and #495 I am now convinced that the Proton developers do not respect my privacy or my rights to my own computer, and I'm going to be migrating all of my domains away from Protonmail. It's simply not worth the hassle to maintain my own Dockerfile to patch out these insane defaults.
Expected Behavior
The code I downloaded is the code that runs on my machine, and remote attackers cannot change it without permission.
Current Behavior
The software automatically downloads arbitrary code from a remote server without consent, and runs it, granting control of the local system to anyone who controls the update server.
The person in control of the update server can then use this remote code execution ability to download endpoint keys, message plaintexts, etc.
Possible Solution
Require affirmative consent for autoupdates, default autoupdates to off.
Steps to Reproduce
Run the bridge software.
Version Information
current: da767842907b72c6ca1f1cf86f6f97035e2f5243
Context (Environment)
I was running the bridge in a docker container and it downloaded new unchecked code without consent which ran on the next launch.
Detailed Description
Autoupdates must be approved by the user before being installed.
Possible Implementation
Signal does it by requiring a click before replacing the code:
https://github.com/signalapp/Signal-Desktop/issues/4578