Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

IPC Sender Verification and Electron.js Version Upgrade #7616

Open
masood opened this issue Nov 26, 2023 · 0 comments
Open

IPC Sender Verification and Electron.js Version Upgrade #7616

masood opened this issue Nov 26, 2023 · 0 comments

Comments

@masood
Copy link

masood commented Nov 26, 2023
edited
Loading

Summary:
Thank you for designing the Hyper Desktop Application making it open-source and available. The application does a great job of following secure practices. We list pointers of concern below that can help make the application more secure.

  1. [Verifying IPC Sender] Since the application uses custom IPC messages (e.g., child_process.exec), it will be useful to introduce a mechanism that verifies the sender of the message, event.sender. [Link]
  2. [Keeping up-to-date w/ Electron.js]: The application uses an old version of Electron.js (v20.3.6) and Chromium (v104.0.5112.124) which is vulnerable to numerous known V8 and Blink attacks. Upgrading to an even newer version will be a great idea as well [Link]

Thank you!

Platform(s) Affected:
Windows, Linux, MacOS


Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@masood