ToDesktop Command Execution Vulnerability via Postinstall Script in Package.json

A vulnerability in ToDesktop, an Electron app bundler service, allows remote execution of arbitrary commands on the build server. This issue affects ToDesktop versions prior to 2024-10-03 and has been observed in applications like Cursor. The vulnerability arises from a postinstall script in package.json that can be exploited to access Firebase credentials, read sensitive information from the desktopify config.prod.json file, and deploy unauthorized updates to applications.

Impact

Exploitation of this vulnerability could lead to unauthorized command execution on the build server, access to sensitive Firebase credentials, and the ability to deploy malicious updates to applications using ToDesktop, potentially affecting millions of users.

Reproduction

The vulnerability can be reproduced by uploading a package.json file with a postinstall script that includes a reverse shell payload. Once the payload is executed, the build server can be accessed, and sensitive information, such as Firebase admin credentials, can be retrieved.

Remediation

ToDesktop has patched the vulnerability by removing the Firebase Service Account token from the build process and implementing a restricted-access solution. The company has also enhanced security measures, including key-based authentication for app updates and access control permissions for sensitive actions.