Security #20

Open
probonopd opened this Issue Jan 8, 2017 · 7 comments

Projects

None yet

3 participants

@probonopd

When I open the app, I get "Sign into GitHub to continue to HawkEye". How can I know that this is not a phishing attempt? How can I know that the app doesn't abuse my username and password for something else?

@andrewhathaway
Member

Hi @probonopd. For the application to get your notifications, you need to authenticate with GitHub.

This is done using the OAuth2 protocol. Your username and password are entered, by the user, to GitHub itself, where Hawk Eye doesn't have access to those values. In return, Hawk Eye gets a token used to authenticate with GitHubs API. This token is then stored on your machine only, again, where only you have access to it. Removing your account from Hawk Eye will delete the token from your machine.

Hope this clears things up. Have a good day. :)

@probonopd
probonopd commented Jan 8, 2017 edited

It is clear to me that this is how it should work - but how can a user be sure that this is what actually happens? Could the app use the system's browser to handle the credentials entering? That way, the user would at least see the URL where he enters his credentials...

@andrewhathaway andrewhathaway reopened this Jan 8, 2017
@andrewhathaway
Member

Sadly if I were to give control over to the systems browser, I could not get the users access token from the redirected browser. I will look in to this further, my other option would be to show the address bar on the window.

@probonopd

show the address bar on the window

A malicious fork of this app could show something random there...

@andrewhathaway
Member

Sure, it could. Looking through this issue, theres no way for me to show a toolbar on the Electron BrowserWindow implementation. electron/electron#1862

Furthermore, looking at the docs for shell.openExternal theres no way for me to grab the token back from the browser. https://github.com/electron/electron/blob/master/docs/api/shell.md#shellopenexternalurl-options-callback

I'm not entirely sure theres a way forward for this issue.

@iamthemovie
Member

@probonopd we could mitigate the issue by offering a way of manually entering a user generated OAuth token as a different option when logging in. That way you have complete control over the transient token and do not have to enter you password or user details.

While I completely understand the security implication of what you're suggesting we would always recommend on a personal note to use randomly generated passwords for every account a user has on the internet (managed by a password manager) and enable two-factor authentication where applicable. 😄

@probonopd

@iamthemovie I would appreciate this option very much.
And just a GitHub password alone is precious enough to really care about it ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment