The best answer I have about "platform" bugs like these is that we vigilantly watch Electron's changes and release feed to watch for issues like this. We explicitly block the creation of all webviews and new windows, which is listed as 2/3 options that would have removed the vulnerability.ĬVE-2018-1000006, a protocol handler bug in Electron: This bug only affected Windows, but it would have affected 1Password 8 for Windows since we register a custom URL handler scheme. As a full disclaimer, Electron adds options now and then so its possible some of our prevention mechanisms might not have been as effective at the time these exploits in 2018 occurred.ĬVE-2018-1000136, a nodeIntegration bypass via XSS: 1Password 8 would not have been affected by this issue. Let's jump to your specific example cases from past Electron tire-fires next. This includes disabling dangerous options like Node.JS integration. We've open sourced an Electron app base that uses the same secure defaults here, if you would like to take a look. We also follow Electron's security guidelines, and then some. If it's not a standard web link, we don't even forward it to the operating system to handle. In a similar cart, we also have locked down the possible ways that content could be navigated to outside the app from user actions, remote or local. ![]() ![]() I'll share it here as well in case you're curious. We have a strong CSP (content security policy) in place as well, preventing any JavaScript code from making network connections. I believe 1Password 8 starts off strong compared to other Electron apps: We don't load any remote content, from any site. Even though a majority of our engineers are new to the Electron framework, we have made sure to do our due-diligence versing ourselves in best-practice security for Electron applications, including considering what differences it makes to our applications threat model and the types of security bugs that have traditionally impacted Electron-based apps. ![]() Electron security has gotten a lot better since 2018, but I'm happy to go over the specifics of what applies to 1Password.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |