Source URL: https://kibty.town/blog/todesktop/
Source: Hacker News
Title: How to gain code execution on hundreds of millions of people and popular apps
Feedly Summary: Comments
AI Summary and Description: Yes
Summary: The text details a security vulnerability discovered in the “todesk” application bundler, highlighting a significant exploit that allows arbitrary code execution in various applications relying on its infrastructure. The author’s investigative process reflects critical security practices and incident response, emphasizing collaboration with affected parties to remedy the issue.
Detailed Description: The text provides a detailed account of a security vulnerability discovered while investigating an AI-powered text editor known as “cursor.” The author analyzes the underlying infrastructure, revealing security weaknesses in the todesktop service used by cursor. Key points and insights include:
– **Initial Discovery**: The author became curious about todesktop, an electron app bundler, while attempting to download cursor. This led to an investigation into its security.
– **Firebase Recon**: The inspection uncovered the use of Firebase’s Firestore and the presence of sourcemaps, which facilitated the identification of an insecure collection named `temporaryApplications`. Although the collection contained no sensitive data, it raised concerns about security practices.
– **CLI Analysis**: The author explored the todesktop command-line interface (CLI) and utilized sourcemapper to extract source trees, leading to the discovery of an arbitrary S3 upload vulnerability through a Firebase cloud function called `getSignedURL`.
– **Post-exploitation**: Implementing a reverse shell payload through a postinstall script in `package.json` enabled the author to access the container where the application code was built, revealing a hardcoded Firebase admin key that allowed for extensive control.
– **Potential Impact**: The vulnerability posed risks across numerous applications, including popular tools like ClickUp, Cursor, Linear, and Notion, suggesting that the exploit could potentially affect hundreds of millions of users.
– **Incident Reporting and Response**: After identifying the exploit, the author responsibly communicated with todesktop’s owner. The company responded quickly, implementing security enhancements such as integrating a privileged sidecar container for signing and uploading without compromising user code.
Overall, this narrative underscores the importance of security audits, the need for secure coding practices, and responsive incident management in software development, especially in environments leveraging cloud and third-party dependencies. It illustrates the impact of effective communication and collaboration in enhancing security measures post-discovery of vulnerabilities.