Wow…

So electron improved their security features with the recent version 5, but by doing this broke tons of applications because they either need User Namespaces or an SUID executeable (to launch proper isolated subprocesses).

Desktop noticed this problem and as well and "fixed" it in the worst way possible:

github.com/signalapp/Signal-De

On the other hand Desktop did a proper fix, which enables an SUID bit on this binary: github.com/vector-im/riot-web/

Little follow up on my earlier statement about Desktop and the `--no-sandbox` argument they force on linux now.

I didn't just made noise on my social media but of course also (tried to) work with the upstream project. Sadly it seems like they don't care:

github.com/signalapp/Signal-De

5 work days and no one even had a look at it. Great… Maybe I should write a PR this weekend in hope it gets more attention.

@sheogorath Is there a post anywhere explaining what they are fucking up on here? what are the implications? asking cause I don’t understand and would like to

@sheogorath I assume the simple explanation isn’t really appropriate in this case as Signal is not letting you navigate outside of its own services. Like how would one take advantage of this insecurity?

Follow

@liaizon Actually it is. The idea is, that by sandboxing you strip away unneeded permissions and capabilities from processes like the rendering process, so they can't attack your system and (for example) execute code.

And there is actually a ton of 3rd party content that runs in Signal, like videos that one send to you.

And remember the recent flaw in the VLC dependency that caused CVE-2019-5439? There is no guarantee that similar flaws don't reside in Chromium and therefore in Signal Desktop.

@sheogorath thanks for the explanation! So the sandboxing is not just about per processes/tab capabilities but capabilities in general for all of the different actions Signal may support. Seems like Signal being built on Electron might be the biggest vulnerability!

@liaizon Yes, chromium spreads out different tasks to different processes which then get only the right amount of capabilities to "get the job done". You can check that in your process manager (on linux you can open a shell and run `ps aux | grep signal`) to see this in action.

When it comes to Electron, well, not per se. Electron has the potential to be a big security problem, but a bad written own client could be even worse.

Security comes from writing good code, not from the framework.

Sign in to participate in the conversation
Sheogorath's Microblog

This instance is the microblog to my blog. You'll probably find more recent content here while finding more elaborated content on the blog. Impressum / Datenschutz / Privacy