While the Dopamine Desktop Application opens links outside of the app by passing them to the system’s default browser, it does not sanitize these URLs, which can result in the execution of sensitive files on the user’s system.
Platform(s) Affected
MacOS, Linux, Windows
Steps To Reproduce
Open the Dopamine Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
[Access Sensitive File] Within the console, update the location, say, window.location = “file:///Applications/Emacs.app/Contents/MacOS/Emacs”. The file at the given path is opened. If this file is an executable, it is run by the system.
If a link were to be opened within the application, a user will have that sensitive file (if it exists), executed on their system.
--
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
Summary
While the Dopamine Desktop Application opens links outside of the app by passing them to the system’s default browser, it does not sanitize these URLs, which can result in the execution of sensitive files on the user’s system.
Platform(s) Affected
MacOS, Linux, Windows
Steps To Reproduce
Open the Dopamine Desktop Application from the command-line. Add a command-line switch
--remote-debugging-port=8315while running the application.Open a web browser on the same device and visit
localhost:8315. The application can be interacted with via the DevTools protocol.[Access Sensitive File] Within the console, update the location, say,
window.location = “file:///Applications/Emacs.app/Contents/MacOS/Emacs”. The file at the given path is opened. If this file is an executable, it is run by the system.If a link were to be opened within the application, a user will have that sensitive file (if it exists), executed on their system.
-- Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago