medvednikov
commented
5 years ago I had the same thought when I implemented this.
It'd be cool but spooky.
It's a temporary hack. Once the accounts window works, there will be normal authentication.
Closed SRGOM closed 4 years ago
medvednikov
commented
5 years ago I had the same thought when I implemented this.
It'd be cool but spooky.
It's a temporary hack. Once the accounts window works, there will be normal authentication.
erdnaxeli
commented
5 years ago It is really spooky. If you stole the slack session cookie, you could also stole all others found in the firefox profile. You must support slack Oauth.
Fingel
commented
5 years ago Yea, this is really unnerving. I feel like I need to invalidate all my firefox sessions now. What did you do?
ChildishGiant
commented
5 years ago I'd like if you addressed how this is happening, I won't be downloading volt until this is addressed. Having said that, I'm sure you're not doing anything out of malice just, as you said, as a hack.
xdave
commented
5 years ago Lol that's what you guys get for running proprietary software.
pipboy96
commented
5 years ago @xdave More like "that's what you get for not setting up file permissions correctly".
pipboy96
commented
5 years ago It's actually quite simple. Firefox cookie jar file is not encrypted in any way and it's a simple SQLite file stored in user profile folder. Any app can do the same, unless you run it sandboxed in some way. It's not specific to Volt in any way. You can use Ghidra, IDA or similar software to see how it works (unless this code has been removed), it's not some insanely complex hack. It definitely would be a good idea to ask the user for permission and give the user the option to extract authentication token manually.
SRGOM
commented
4 years ago I just like how obnoxious communists are paranoid about everything. How do you know @xdave that your washing machine does not have a hidden bomb and your grinder doesn't have a sensor to detect how close your head is to it?
Fingel
commented
4 years ago Well ok. That has to be one of the strangest closing issue comments I've ever seen. Obnoxious communists? Hidden bombs?
This project is super sketchy. Never getting near it again.
pipboy96
commented
4 years ago @Fingel SRGOM is not an author or maintainer of this project, only this issue. I already reported him to GH support.
Luckz
commented
4 years ago You want to report someone for closing their own issue?
pipboy96
commented
4 years ago @Luckz no, just for unproductive comment.
Luckz
commented
4 years ago Unproductive comments here:
that's what you guys get for
This project is super sketchy.
¯\(ツ)/¯
medvednikov
commented
4 years ago Volt won't be doing this in a new release.
IT's a bit spooky how I opened slack for the first time in my life today and then downloaded volt and it opened that channel.. Honestly it's cool but weird. How did you do this? Do you go read firefox history?