New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error message includes local PC user name and can be accessed by injected script on remote server #5148

Closed
harupu opened this Issue Apr 14, 2016 · 0 comments

Comments

Projects
None yet
2 participants
@harupu
Copy link

harupu commented Apr 14, 2016

I found electron's error messages include install path and some electron apps for windows are installed into user's home directory.
This error message can be accessed by JavaScript on remote web site. It means arbitrary web site that is loaded on electron app can steal user names. Relative path should be used for error messages.

PoC

try{
  alert(1,1);
}catch(e){
  console.log(e.message);
  e.message.match(/:\\Users\\(.*)\\AppData/);
  alert(RegExp.$1);
}

Error Message

Could not call remote function ``. Check that the function signature is correct. Underlying error: Error processing argument at index 5, conversion failure from 
Error: Could not call remote function ``. Check that the function signature is correct. Underlying error: Error processing argument at index 5, conversion failure from 
  at callFunction (C:\Users\harupuxa\AppData\Local\xxxxx\app-2.0.3\resources\atom.asar\browser\lib\rpc-server.js:205:11)
  at EventEmitter.<anonymous> (C:\Users\harupuxa\AppData\Local\xxxxx\app-2.0.3\resources\atom.asar\browser\lib\rpc-server.js:295:12)
  at emitMany (events.js:108:13)
  at EventEmitter.emit (events.js:182:7)
  at EventEmitter.<anonymous> (C:\Users\harupuxa\AppData\Local\xxxxx\app-2.0.3\resources\atom.asar\browser\api\lib\web-contents.js:133:25)
  at emitTwo (events.js:87:13)
  at EventEmitter.emit (events.js:172:7)
  • Electron version: 0.37.5
  • Operating system: Windows
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment