Handling executable files and Electron.js version upgrade

[masood]

Summary:

The DropPoint Desktop Application incorrectly handles executable files. It uses an older version of Electron. It also does not place restrictions on in-app navigation.

Platform(s) Affected:

MacOS, Windows, Linux

Details:

1. [Executable Files] Dragging and dropping an executable file makes the window unusable. For example, say on MacOS, a user opens Finder, goes to “Applications”, and drags-and-drops the executable for the “Emacs” application. The window for the DropPoint application becomes unusable and the file cannot be copied over.

2. [Electron.js version] The framework recommends that updated versions of the framework be used to take advantage of secure defaults and security fixes. [Link] Additionally, the app uses insecure web preferences, which can be turned off by default when upgraded to a newer version of Electron.js.

3. [Navigation] It is also recommended that the application limit any attempts at navigating the app window to an arbitrary site if, say window.location is updated within the app window. While this is currently not exploitable, adding limitations can help improve the security of the application.

—

Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago