that electronSafeIpc API is actually not that interesting and a completely standard way to do things for ElectronJS apps. No, I do agree - from my perspective C/C++ class bugs are more difficult. Maybe they see this as…
please check out how much code MS Teams actually has, before statements like this :) (it’s more than 30MB of compressed JS)
There is no timeline besides when I reported it and now minus 2wks. They never told me when the fix was deployed. There is little value in going through the email chains to note each date:(. Final decision was made…
sure, add guest accounts to that and we are almost on the same page. I can’t call this “spoofing” as there are many many things you can do wih it
only as a thought exercise. the ability to 'switch off the internet' (115 million daily active big corp users) is tempting, but no, not really :)
I'm not an expert on Electron security! But if not addressed to me, there is no need to pay, you can start here: - https://www.electronjs.org/docs/tutorial/security -…
Yeah, although technically it's "out of scope", I think there are times when you should stop debating the technicalities and consider the business impact. I mean, do you look at that demo and think "yeah, that's…
no, as you can see in the first demo it could be completely silent. not saying you are safe - I don’t know :)
to simplify - no it’s not enabled the real answer is more complicated as it is not necessarily a global setting and depends on what you call a “sandbox”
there are different levels of security for ElectronJS, some, like in this case are not enough. I think it will take a long time before we can call ElectronJS secure. there are regular sandbox escapes and that is from…
you can find both disclosure dates and versions in the report. As for when it was fixed - I have no idea, as they never told me, one day it just was.
I wrote this. This is one of five similar reports for MS Teams. Even outside RCE, just consider the impact of access to SSO tokens and wormability :)
The app has been updated multiple times since, but you can debug Slack and other Electron apps to see the context they are running with. Electron apps merge desktop functionality with web and sometimes it's possible to…
thank you, appreciate some positivity :)
Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation. In other…
I don't live in a 'western country' nor do I make anything near a Silicon Valley salary
Yes they should and I think I could. This exploit was more of a fun challenge. I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between…
high 4, low 5 figures depends on exploit, program, company etc
I agree with you. It's super low, but I and others will just ignore it in the future and ultimately they lose. However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass'…
Sure, absolutely they exist. But in my opinion they are the absolute minority. I've been in security for long enough to know that most people are good, otherwise we'd have major problems every day. 99% of people saying…
I wrote that exploit & report. Just some thoughts on comments here. Sure the bounty is low, but ultimately it's their money and their decision. They will deal with the 'consequences' of others skipping their program and…
that electronSafeIpc API is actually not that interesting and a completely standard way to do things for ElectronJS apps. No, I do agree - from my perspective C/C++ class bugs are more difficult. Maybe they see this as…
please check out how much code MS Teams actually has, before statements like this :) (it’s more than 30MB of compressed JS)
There is no timeline besides when I reported it and now minus 2wks. They never told me when the fix was deployed. There is little value in going through the email chains to note each date:(. Final decision was made…
sure, add guest accounts to that and we are almost on the same page. I can’t call this “spoofing” as there are many many things you can do wih it
only as a thought exercise. the ability to 'switch off the internet' (115 million daily active big corp users) is tempting, but no, not really :)
I'm not an expert on Electron security! But if not addressed to me, there is no need to pay, you can start here: - https://www.electronjs.org/docs/tutorial/security -…
Yeah, although technically it's "out of scope", I think there are times when you should stop debating the technicalities and consider the business impact. I mean, do you look at that demo and think "yeah, that's…
no, as you can see in the first demo it could be completely silent. not saying you are safe - I don’t know :)
to simplify - no it’s not enabled the real answer is more complicated as it is not necessarily a global setting and depends on what you call a “sandbox”
there are different levels of security for ElectronJS, some, like in this case are not enough. I think it will take a long time before we can call ElectronJS secure. there are regular sandbox escapes and that is from…
you can find both disclosure dates and versions in the report. As for when it was fixed - I have no idea, as they never told me, one day it just was.
I wrote this. This is one of five similar reports for MS Teams. Even outside RCE, just consider the impact of access to SSO tokens and wormability :)
The app has been updated multiple times since, but you can debug Slack and other Electron apps to see the context they are running with. Electron apps merge desktop functionality with web and sometimes it's possible to…
thank you, appreciate some positivity :)
Context matters. In this case it was a challenge because of previous research and I would've done it just for fun and the experience. I'm lucky I can afford to do that. Doesn't mean I don't value compensation. In other…
I don't live in a 'western country' nor do I make anything near a Silicon Valley salary
Yes they should and I think I could. This exploit was more of a fun challenge. I support and agree to everything you are saying. I love the community response. I too loathe the bug bounty asymmetry in power between…
high 4, low 5 figures depends on exploit, program, company etc
I agree with you. It's super low, but I and others will just ignore it in the future and ultimately they lose. However, bug bounties are not a job. Nobody is forced or obligated to do anything. I'm giving them 'a pass'…
Sure, absolutely they exist. But in my opinion they are the absolute minority. I've been in security for long enough to know that most people are good, otherwise we'd have major problems every day. 99% of people saying…
I wrote that exploit & report. Just some thoughts on comments here. Sure the bounty is low, but ultimately it's their money and their decision. They will deal with the 'consequences' of others skipping their program and…