Open sneak opened 1 month ago
It looks like this vulnerability is caused by the autoupdate functionality in the bridge. This should be patched out or disabled in the container build process so that the container's integrity is preserved.
Reported upstream as well:
https://github.com/ProtonMail/proton-bridge/issues/494
Given their zeal for co-opting users' machines for their own purposes, I assume this will need to be patched out in the container and won't get fixed upstream.
Without permission, this software downloads new code from the server and prepares to execute it. This violates the entire security model of content-addressable docker container executables.
This allows anyone with control of the remote server to specify arbitrary code to execute within the container.
This allows an attacker in control of the update download server to replace the update executable that is downloaded, and steal or exfiltrate keys and mail.
Such nonconsensual automated remote code execution (the fact that it is called "autoupdate" is irrelevant) is inappropriate in software implementing end to end encryption. If the not-end can cause the end to give up its keys or plaintext at any time via a software update, then the end to end encryption is simply farce.