Valid

Reported on

Sep 12th 2021


✍️ Description

Attackers can execute malicious code on users computers using Google Voice Desktop App provided that users click on a malicious hyperlink in the app itself

🕵️‍♂️ Proof of Concept

  1. Host the following index.html on a web server
<script>
require('child_process').exec('calc');
</script>
  1. Users who click on the hyperlink https://accounts.google.com@[WEB_SERVER]/index.html in the Desktop App (via someone messaging them the link) will execute require('child_process').exec('calc'), which will open the calculator app on the computer.

💥 Impact

This vulnerability is capable of code execution via visiting malicious hyperlink in the application

Recommended Fix

The vulnerability exists because nodeIntegration is set to true so whatever that is embedded in a <script> tag on a webpage will get executed in Node. In addition in https://github.com/jerrod-lankford/google-voice-desktop-app/blob/master/src/main.js#L153L155 only checks if the URL starts with https://accounts.google.com, however example URL https://accounts.google.com@webserver.local actually resolves to webserver.local, but it bypasses the check above. Recommended fix for this is to use NodeJS url.parse and check if host == "accounts.google.com" or "voice.google.com", a better fix (if possible, ) would be to disable nodeIntegration entirely.

📍 Location main.js#L147-L149

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron
a year ago

Researcher


@admin maintainer email is jllanko@ncsu.edu

I think the bot couldn't detect email format listed in the SECURITY.md

haxatron modified the report
a year ago
Z-Old
a year ago

Admin


Hey haxatron, thanks for the heads up. I've emailed the maintainer for you.

We have contacted a member of the jerrod-lankford/google-voice-desktop-app team and are waiting to hear back a year ago
Jerrod Lankford
a year ago

Maintainer


Sorry i messed up my email in the security.md. Its fixed. I also took care of the vulnerability by parsing the url as suggested. Unfortunately i can't remove node integration. Thanks for letting me know

haxatron
a year ago

Researcher


Hi there, thanks for fixing the vulnerability! Could you validate this report?

Jerrod Lankford validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jerrod Lankford confirmed that a fix has been merged on 4d9fcf a year ago
Jerrod Lankford has been awarded the fix bounty
to join this conversation