In-app Navigation and IPC Sender Verification

[masood]

Summary: Thank you for designing the Helios Launcher Desktop Application. The application does a great job of handling account and mod management. We list pointers of concern below that can help make the application more secure.

1. [In-app Navigation]: While the application has checks on the did-navigate event (e.g., for Microsoft Auth [Link]), it can benefit from limiting a will-navigate event before any navigation to prevent loading and redirecting to third-party links within the app. [Link]
2. [IPC Messages]: Since the application uses custom IPC, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. While each handler currently receives the sender from the event for each of the arguments, they are not verified for all messages. [Link]

Thank you!

Platform(s) Affected: MacOS, Windows, Linux

– Mir Masood Ali, PhD student, University of Illinois Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois Chicago Chris Kanich, Associate Professor, University of Illinois Chicago Jason Polakis, Associate Professor, University of Illinois Chicago

[Codixer]

So how would it happen that you go to another URL that's not based on the launcher? There is no UGC apart from the stuff the server itself puts in the launcher, or in their own RSS feed.

As for the IPC, do all electron applications have access to the IPC messages, or is it application specific.

While security is always great, as far as I can personally see, helios isn't able to put up any windows, apart from hardcoded ones.