search

sfx101 / deck

DECK is a powerful and high performant local web development studio, an open source alternative to Docker desktop
https://github.com/deck-app
GNU Affero General Public License v3.0
1.51k stars 71 forks source link

The Deck Desktop Application uses insecure web preferences and does not restrict in-app navigation #150

Closed masood closed 11 months ago

masood commented 1 year ago

Summary:

The Deck Desktop Application uses insecure web preferences and does not restrict in-app navigation.

Platform(s) Affected:

MacOS, Linux, Windows

Steps To Reproduce:

  1. Open the Deck Desktop Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.

  2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.

  3. [Navigate to Malicious Site] Within the console, update the location, say, `window.open = “https://malicious.com”. The Deck Desktop application window is navigated away from the application’s intended page.

  4. [Access Node.js Libraries] Within the console, execute require(‘child_process’).execFile(‘/Applications/Emacs.app/Contents/MacOS/Emacs’”) – observe that, if installed on the system, the Emacs opens. Essentially, any malicious code that runs in the renderer process can compromise the user’s underlying system

Deck uses an old version of Electron.js. It is recommended that updated versions of the framework be used to take advantage of secure defaults and security fixes.

--

Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

nabad600 commented 1 year ago

Hi @masood , Thank you for using DECK, noted we are updating the next release.