Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Etcher loads remote code after privileges are elevated
See original GitHub issue- Etcher version: 1.5.59
- Operating system and architecture: MacOS 10.13.6
- Image flashed: Raspbian
- Do you see any meaningful error information in the DevTools? n/a
When I flash the image, Etcher prompts me for my password, because needs elevated privileges to for some operations on the SDcard. Right after entering the password, Etcher opens a connection to jquery.org - probably do download jQuery. This is a major security risk, as it allows for potentially unsafe code to be executed on my system AFTER I elevated privileges.
Note: I have disabled error reporting and usage statistics, so no network connection should be open when I use the program, except for downloading images. I am pretty sure jQuery.org tracks downloads, which may or may not count as “usage statistics” depending on one’s font of view.
Issue Analytics
- State:
- Created 4 years ago
- Reactions:1
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Also just to be super clear - what was unintentional was loading GA regardless/in the success-banner, the EFP actually makes use of that (when it’s enabled, mind!)
ping @petrosagg - Has something slipped through the net? Does there need to be a process in place to prevent that happening? 🤷♂️
EDIT: It looks like https://github.com/balena-io/etcher/blob/master/lib/gui/app/components/featured-project/featured-project.jsx#L37 is where the featured-project URL is defined, and the source of https://assets.balena.io/etcher-featured/index.html says:
😕
EDIT2: Also, https://assets.balena.io/etcher-featured/index.js appears to explicitly load GoogleAnalytics, whereas https://github.com/balena-io/etcher/issues/2766#issuecomment-531437542 says that GA was unintentional?