Profile picture
yan @bcrypt
, 6 tweets, 3 min read Read on Twitter
Signal Desktop just pushed out a fix for a remote XSS vuln: github.com/signalapp/Sign…

demo:
a lot of @electronjs devs have the attitude that their app doesn't need sandboxing or keeping up-to-date with Chromium bc "it doesn't execute untrusted code". the problem is that falls apart as soon as you get XSS. github.com/signalapp/Sign…

(at least Signal has sandboxing)
"should i build this as a web app or use Electron?"
the difficulty gap between XSS and full RCE is much smaller in Electron compared to a browser like up-to-date Chrome, so plz make it a web app if u care about good things
here's a recent example of XSS -> system RCE in Electron: trustwave.com/Resources/Spid…

Electron has a flag that basically says "allow content to run system commands via Node" and it was possible for a context with that flag disabled to open a new context that had it enabled
at least 3 reasons why XSS -> RCE is easier in Electron vs Chrome:
1. often behind latest Chrome so old 0days will sometimes work (ex: blog.ethereum.org/2017/12/15/sec…)
2. no renderer sandboxing by default
3. privilege boundary b/w content with & without Node access is not well-enforced
the Electron team knows about these issues and have made some great progress lately. in the meantime, keep in mind that it was designed primarily for Atom, an app that doesn't load remote content.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to yan
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @bcrypt see all

Profile picture
A lot of people ask "why should I work in software development as opposed to math/physics/finance/etc.?" One reason is that this field is surprisingly full of "inadequate equilibria" (a steady-state in which low-hanging fruits are still available for non-experts to solve).
Take this passage from a summary of Eliezer Yudkowsky's book (scottaaronson.com/blog/?p=3535). IMO one "authoritative institution" that has created a lot of inadequate equilibria in software development is Silicon Valley culture and its focus on rampant growth.
growth is often at odds with security/privacy/robustness, so those are subfields of software development where a newcomer can potentially make high-impact contributions (things that obviously should be done but nobody has done yet due to the incentives being screwed up)
Read 3 tweets

Related threads

Profile picture
And now, #Maintain2018 live tweeting begins. As before, this is going to be high volume, so mute me and/or the hash tag if you don't want to see this!
We're beginning not with a keynote but a provocation (from three speakers): What is maintenance? #Maintain2018

First we're going to talk about social housing.
"State regeneration is becoming a euphemism for demolition and redevelopment. ASH [Architects for Social Housing) was set up to propose alternatives to this." #Maintain2018
Read 221 tweets
Profile picture
i'm finally ready to share my personal story about this whole #golang dependency management process.
Consider it a counterpoint to the story Russ shared last month: . (Please note that he also publicizes private communications in that thread.)
Two weeks ago, i published a screencast that distills the single most essential technical issue (information loss) with the module system that shipped with Go 1.11.

Reasonable fixes should still be possible.
Read 88 tweets
Profile picture
Dos días tarde, por que voy de culo de curro, voy a hacer el hilo para responder a un reciente "amigo de Twitter" @SergioAG_ sobre la seguridad en Telegram i por que creo que NO hay que usarlo, sin saber almenos esto:
Primero dos axiomas, gracias a mi amigo @arnaugamez. La seguridad absoluta no existe. Y, la seguridad en abstracto, tampoco, existen condiciones materiales tales como marcos legales o conocimientos desiguales, entre muchas otras condiciones.
Luego, la privacidad y la seguridad son conceptos diferentes. De nada sirve una aplicación que garantice mi privacidad, pero esa privacidad se vulnere por cualquier agente externo. O viceversa, de nada sirve un servicio seguro, si mi privacidad es explotada por el propio servicio
Read 17 tweets
Profile picture
@swyx A small example for our team was upgrading to React 16.3. The React team itself has done a great job. But for us to upgrade on our large codebase, we had to do the following things.
@swyx 1. Design system aka Atlaskit has to update to React 16.3. This meant within the design system, all interdependent components had to update to their latest versions. They had to support both React 16.2 and 16.3 during this intermediary phase.
@swyx 2. React team did a great job smoothening the release with codemods which were useful. But our tests used Enzyme, which does not support 16
github.com/airbnb/enzyme/…
Read 12 tweets
Profile picture
Today is a challenge - on and off for the next 12 hours, now that the GDPR dust is settling, I am going to try and Tweet about nothing but the #EUCopyrightDirective - BECAUSE, YE GODS, YOU NEED TO KNOW ABOUT THIS:

techdirt.com/articles/20180…

HT @mmasnick CC @OpenRightsGroup
If you want a video about how YOU should demand that the EU #DeleteArt13 of the #EUCopyrightDirective, maybe start with this one:
If you would like an authoritative voice regards why we YOU need to act to get the EU to #DeleteArt13 - to avoid the Internet and Web being swamped with a "Link Tax", here is the perspective of German Euro-MP, Julia Reda: juliareda.eu/2018/05/censor…
Read 16 tweets
Profile picture
Getting started with #walletconf -- UX discussions around wallets and crypto broadly.
First up, @tomcreighton kicking off. Where does UX come into the thinking around crypto? "What is the UX of TCP/IP?"
My question: how do you think about design when you are building lower level lego blocks vs. lego kits?

I'm thinking perhaps about open source components that have developers as the "end user".
Read 70 tweets

Trending hashtags

#Plutus #smartcities #ItsTime #webdev #opemdata #Rotavirus #bigdara #Maintani2018 #Maintain2018 #BenefitsOfAadhaar #Splash #Tetanus #smarticities #smarticites #FunFact #walletconf #erc1056 #attitude #TheBeatles #elementqueries #Amazon #team #Pupsicle #immunocompromised #poxparties

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!