Verifying IPC Message Senders and Cookie Encryption

[masood]

Summary: Thank you for designing the Fluent Reader Desktop Application and making it open source and available. The browser does a great job of using secure preferences when the user navigates to arbitrary websites. We list pointers of concern below that can help make the application more secure.

1. [IPC Messages]: Since the application uses custom IPC and allows navigation to arbitrary sites, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. It currently associates some IPC calls with e.mainWindow which is great. Adopting a similar approach for other IPC calls will be helpful as well. [Link]
2. [Encrypting Cookies]: The application stores sensitive cookies on the filesystem. It will be helpful to use a fuse to encrypt cookies. [Link]

Thank you!

Platform(s) Affected: MacOS, Windows, Linux

– Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

[yang991178]

Thanks for the report.

1. All navigation in the electron window is prevented and third party websites are only loaded in isolated webviews, so I think only the local application code can send IPC messages. Not sure if this is still a concern in this case?
2. Actually all cookies are cleared when the application is closed.