Code Injection in jerrod-lankford/google-voice-desktop-app
Sep 12th 2021
Attackers can execute malicious code on users computers using Google Voice Desktop App provided that users click on a malicious hyperlink in the app itself
🕵️♂️ Proof of Concept
- Host the following index.html on a web server
<script> require('child_process').exec('calc'); </script>
- Users who click on the hyperlink https://accounts.google.com@[WEB_SERVER]/index.html in the Desktop App (via someone messaging them the link) will execute require('child_process').exec('calc'), which will open the calculator app on the computer.
This vulnerability is capable of code execution via visiting malicious hyperlink in the application
The vulnerability exists because nodeIntegration is set to true so whatever that is embedded in a <script> tag on a webpage will get executed in Node. In addition in https://github.com/jerrod-lankford/google-voice-desktop-app/blob/master/src/main.js#L153L155 only checks if the URL starts with https://accounts.google.com, however example URL https://email@example.com actually resolves to webserver.local, but it bypasses the check above. Recommended fix for this is to use NodeJS url.parse and check if host == "accounts.google.com" or "voice.google.com", a better fix (if possible, ) would be to disable nodeIntegration entirely.
📍 Location main.js#L147-L149