Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

In-app Navigation Handling #37

Open
masood opened this issue Oct 25, 2023 · 0 comments
Open

In-app Navigation Handling #37

masood opened this issue Oct 25, 2023 · 0 comments

Comments

@masood
Copy link

masood commented Oct 25, 2023

Summary:

The Enclica Messenger Desktop Application does not correctly limit in-app navigation.

Platform(s) Affected:

MacOS, Linux, Windows

Steps To Reproduce:

  1. Open the Enclica Messenger Desktop Application from the command-line. Add a command-line switch --remote-debugging-port=8315 while running the application.
  2. Open a web browser on the same device and visit localhost:8315. The application can be interacted with via the DevTools protocol.
  3. [Access Sensitive File] Within the console, update the location, say, window.location = “https://malicious.com”. The application window is navigated to a third-party domain.

Additionally, the app accesses tokens from local storage. It can instead benefit from storing tokens as cookies and encrypting them using @electron/fuses. [Link]

Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@masood