Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Etcher should not fake a system password prompt
See original GitHub issue- Etcher version: All since commit 9b82891abb86fc27c3df531fa6e1086192de4f03 from @zvin
- Operating system and architecture: macOS (but possibly Linux as well, I don’t it on desktop platforms to validate this)
- Image flashed: Does not apply
- Do you see any meaningful error information in the DevTools? Does not apply
Before flashing a device, Etcher shows what appears to be a system prompt asking for the user’s password, but it is not in fact a system prompt: Etcher’s own application is emulating a system prompt and capturing the password itself 👇
const result = app.displayDialog('balenaEtcher needs privileged access in order to flash disks.\n\nType your password to allow this.', {
defaultAnswer: '',
withIcon: 'caution',
buttons: ['Cancel', 'Ok'],
defaultButton: 'Ok',
hiddenAnswer: true,
})
This tricks users, who think they are entering their password into a trusted system prompt, into forfeiting their password to an arbitrary userspace application who can do with it as it pleases, subverting the system’s own mechanisms for escalating a process’s privilege, so that the application can choose at it’s own whim what to escalate, rather than the user.
This is similar to what Zoom’s notoriously shady installer did to bypass escalation prompts, and even though not necessarily indicative of malicious practices, it’s terrible practice and a complete betrayal of the user’s trust, not to mention a possible malware vector.
Please, stop emulating system prompts and leverage the standard system mechanisms to implement process escalation. The RaspberryPi Imager app is similar in intent to Etcher and as far as I could tell, seems to be using the standard system mechanisms to escalate privilege when it’s time to flash (as a matter of fact, it prompts for a much more granular and specific access than full-blown sudo), you should do the same.
Issue Analytics
- State:
- Created 3 years ago
- Reactions:22
- Comments:11 (5 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Etcher never sees the password, we use
sudo --askpass. The only code that “sees” the password is https://github.com/balena-io/etcher/blob/master/lib/shared/catalina-sudo/sudo-askpass.osascript.js , it is invoked bysudo( https://github.com/balena-io/etcher/blob/cc08ac9236fad0e98700ab403726116122b821c6/lib/shared/catalina-sudo/sudo.ts#L34 ) and is not part of etcher itself. Etcher never sees your password.Please read the other issues, this no longer works for writing to
/dev/disk*starting from Catalina.How ?
I had a quick look at rpi-imager, it uses
authopen, this could probably work for etcher too but requires some native code https://github.com/raspberrypi/rpi-imager/blob/qml/mac/macfile.cpp#L25 . Pull requests are welcome.Locking the conversation as it’s not our priority right now to beautify and/or normalize the dialogue to a system one, as it involves solving so many other parallel issues; we already made clear that we’re more than welcome to receive PRs regarding the subject though, so if anybody feels like doing it, that would be awesome!