InputFlow speaks the legacy Mouse Without Borders protocol used by Microsoft PowerToys. That protocol is encrypted, but it was not designed with modern authenticated transport guarantees.
Security fixes should target the current main branch.
If you discover a vulnerability that could expose input, clipboard data, or pairing secrets:
- Do not open a public issue with exploit details.
- Send a private report to the maintainers with:
- affected commit or release
- reproduction steps
- impact assessment
- logs or packet traces with keys and hostnames removed
If no private contact channel is published yet, open a minimal public issue that only asks for a secure disclosure path and avoid technical detail.
- Prefer
key_file=orkey_secret_id=over storing keys inline in shell history. - Treat the shared MWB security key as sensitive. Anyone with the key and network reachability may be able to impersonate a peer.
- Keep the Linux listener bound behind a local firewall and only allow the intended Windows peer.
- Review exported pairing helpers before moving them to another machine. They may contain the shared key and the Linux host IP.
- Avoid posting raw
mwb-windows-report-*,mwb-lock-report-*, ormwb-socket-trace-*files publicly without redacting hostnames, IPs, and keys.
- The upstream PowerToys protocol uses AES-256-CBC framing but does not provide a modern end-to-end authenticated channel.
- Full AEAD or MAC-based integrity would require a protocol change on both the Linux client and the PowerToys side.
- Public beta users should treat InputFlow as a trusted-LAN tool, not an internet-exposed remote-control service.