New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security [Signal for macOS]: Lack of quarantine meta-attribute for downloaded files leads to GateKeeper bypass #3590
Comments
🤔 |
1 similar comment
🤔 |
Sorry, not quite sure I follow. Are you saying that the same issue that applies to Brave applies to downloaded attachments in Signal? |
Exactly this, see for reference:
I also shared my slides about macOS File Quarantine with you (GDrive, email invitation). Please, don't share these slides with others. Fix: add LSFileQuarantineEnabled=false in Info.plist and make sure auto-updater doesn't quarantine the new version of the app. |
@kenpowers-signal Let me know whether you're going to fix this (and when, if you're), so that I can publish my research and send it to IBB. Thanks |
Thanks, we're considering this and will update this thread if we decide to change behavior for downloaded files. |
v1.30.0 introduced quarantine attributes for saved attachments on macOS: 1bf9ca7 |
Bug Description
Report to Brave: https://hackerone.com/reports/374106
.terminal
file can be used for this purpose (it's executable after downloading from the web).OS
macOS
The text was updated successfully, but these errors were encountered: