-
-
Notifications
You must be signed in to change notification settings - Fork 3.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Malware in Windows binary #2418
Comments
Interesting conversation on Hacker News https://news.ycombinator.com/item?id=25258794 |
@tmairegasnighto Thanks for reporting this issue and we need to investigate this but Edit: e.g. |
The gvt1.com URL I am seeing is different:
and is also transmitting my public IP address as a URL parameter. It's hard to understand why that would be required. Additionally, there is encrypted traffic going both ways. I'm not sure what value the URLs being downloaded have to Marktext dictionary autocorrect... eg...
|
I think that the place where things are downloaded from is corrupted or had a change. I doubt would the devs be using these:
I like movies but I don't think they need to be included here. And traveling now isn't a great idea. |
@tmairegasnighto The "random" list might be the safe browsing list from Chromium as Electron is just a browser and the traffic is encrypted due to HTTPS. Please download electron-v8.3.2-win32-x64 and check whether there is the same network activity, if so it's just the browser downloading some metadata. Electron and Mark Text open a connection to Please replace Mark Text root |
I got the same behavior if I run the Electron demo application or replace Mark Text bundled files with the demo application. Could you please email me the dumped files (including the suspicious URLs) because it might be a safe browsing list from Google. Please open an upstream Electron issue (or I'll open one when I have time) because I think Electron shouldn't download dictionaries automatically on startup when Chromiums build-in spell checker is disabled. At the moment it seems as no bad NPM package is present because the connection to Google is also present when launching unchanged Electron with the official Summarized:
|
Thank you @tmairegasnighto and the user(s) that posted it on reddit and HN. The security of our product is very important to us and at the present time we verified that the HTTP requests are legit connections to Google servers.
I downloaded the content @tmairegasnighto posted in the second comment to verify that the Crowd Deny list is a legit package by Google, extracted the payload and we got three files:
Decoded Base64 string:
|
I just want to say thank you for the extremely quick follow up and resolution, and glad this was just a false alarm. Sorry for my issue title - it jumped the gun a bit. ...but you know, seeing "adultdeepfakes.com" in an app's network packet will do that :-) |
Description
I have discovered some malicious behavior in the Windows version of this app (have not tested other OS versions).
Steps to reproduce
Actual behavior:
I discovered export of some data, and it downloaded some malicious files...
Link to an example: [optional]
More details can be found here: https://old.reddit.com/r/Markdown/comments/k43hzw/warning_malicious_code_found_in_mark_text/
Versions
The text was updated successfully, but these errors were encountered: