You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Great work!
We did a security analysis on the app and found that the risky ipcRenderer is directly exposed to the unsafe renderer process. This may allow remote attackers to abuse sensitive methods in the (privileged) main process by crafting malicious IPC messages.
Vulnerability Details
The following code shows how a preload script exposes IPC.
We do find exploitable IPC endpoints. e.g.,
If the attacker sends a malicious msg to open-url channel, he may execute arbitrary commands via openExternal.
v1.13.4 has been released with a fix for this potential vulnerability. I now use a pre-defined list of URLs.
I am not aware of any way that IPC could be triggered from outside of Electron, and Twinkle Tray does not load any HTML/JS from external URLs (it's all contained in the distributed ASAR). But just in case it is possible to exploit, it's been fixed. Thanks again for pointing the vulnerability out.
Hi,
Great work!
We did a security analysis on the app and found that the risky
ipcRenderer
is directly exposed to the unsafe renderer process. This may allow remote attackers to abuse sensitive methods in the (privileged) main process by crafting malicious IPC messages.Vulnerability Details
The following code shows how a preload script exposes IPC.
twinkle-tray/src/intro-preload.js
Line 39 in 16c4a71
We do find exploitable IPC endpoints. e.g.,
If the attacker sends a malicious msg to
open-url
channel, he may execute arbitrary commands viaopenExternal
.twinkle-tray/src/electron.js
Lines 1314 to 1316 in 3871712
Mitigation
The text was updated successfully, but these errors were encountered: