Verifying IPC Sender, Encrypting Cookies, Electron.js/Chromium Versions

[masood]

Summary:
Thank you for designing the Fifo Browser Desktop Application and making it open source and available. The browser does a great job of using secure preferences when the user navigates to arbitrary websites. However, we list pointers of concern below that can help make the application more secure.

1. [IPC Messages]: Since the application uses custom IPC and allows navigation to arbitrary sites, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. [Link]
2. [Encrypting Cookies]: The browser stores sensitive cookies on the filesystem. It will be helpful to use a fuse to encrypt cookies. [Link]
3. [Keeping up-to-date w/ Chromium]: The application uses an old version of Electron.js and Chromium which is vulnerable to numerous known V8 and Blink attacks. We observed an existing pull request for the same, which will be great for the app. [Link]

Thank you!

Platform(s) Affected:
Windows, Linux

–
Mir Masood Ali, PhD student, University of Illinois at Chicago
Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago
Chris Kanich, Associate Professor, University of Illinois at Chicago
Jason Polakis, Associate Professor, University of Illinois at Chicago

[snaildos]

Summary: Thank you for designing the Fifo Browser Desktop Application and making it open source and available. The browser does a great job of using secure preferences when the user navigates to arbitrary websites. However, we list pointers of concern below that can help make the application more secure.

1. [IPC Messages]: Since the application uses custom IPC and allows navigation to arbitrary sites, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. [Link]
2. [Encrypting Cookies]: The browser stores sensitive cookies on the filesystem. It will be helpful to use a fuse to encrypt cookies. [Link]
3. [Keeping up-to-date w/ Chromium]: The application uses an old version of Electron.js and Chromium which is vulnerable to numerous known V8 and Blink attacks. We observed an existing pull request for the same, which will be great for the app. [Link]

Thank you!

Platform(s) Affected: Windows, Linux

– Mir Masood Ali, PhD student, University of Illinois at Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois at Chicago Chris Kanich, Associate Professor, University of Illinois at Chicago Jason Polakis, Associate Professor, University of Illinois at Chicago

Hey, thank you so much for reaching out to create a list of issues with the browser. I really appreciate the research put into this.

1. Is 100% on our watch list.
2. is a feature I think is great, and will look into the feature.
   Regarding 3, I understand it may sound easy, however these major jumps cause a ton of side effects and electron moves really fast for just me whose maintaing the app, so I struggle to keep up. We do have a development branch (I'm pretty sure, I just came back from holidays recently) bumping the electron version and keeping compatability. So I'll look into that for you, and I am aware of the issues.

Thank you so much again, I heavily appreciate it, and I will keep this issue open for future research and comments.

Kind regards,
Snail