"Remote Code Execution in Slack desktop apps" hackerone.com/reports/783877

This is why I refuse to use Slack, Discord, etc. in their native app versions – only in the browser. Browsers have gotten pretty good at sandboxing and auto-updating. Historically, Electron apps have demonstrated themselves to be good at neither.

With an Electron app, you're basically running a custom-made browser where the authors have to be trusted to get two aspects of security right – the web dev part, and the browser dev part.

If a website is insecure, worst case scenario (most of the time) is that an attacker can get access to that site's data. If an Electron app is insecure, worst case scenario is that the attacker gets full system access to do whatever they want. That's terrifying.

Show thread

Some people prefer the Electron versions of apps because they like being able to press Alt-Tab instead of having to pin a browser tab. Or they like that it's better integrated into the system notifications. For me, this is a bad reason to compromise so much security (and performance as well – you're running a whole extra instance of Chromium).

Show thread

Chrome is going the right direction with desktop PWAs, but I'm disappointed that so few apps have opted into it. On my work computer, there is literally one webapp I use on a regular basis that actually has a PWA version – Google Chat. I saved it as a desktop PWA, I get Alt-Tab, I get a separate window for it with its own app icon and everything, and yet it's still running the same old Chrome under the hood, with the same old security guarantees. It's a win-win for both UX and security.

Show thread
Follow

@nolan It's early days for PWA indeed. But, the technology is far ahead and ubiquitous enough that we're really just one big example away from it becoming normal.

We need one big app to go all-in and advertise its site as offline or homescreen compatible, to really seed these concepts with users at large.

... until then, it's back to the 90s with "site directories" to discover them. Here's one I like:

appsco.pe/

(Not all entries are offline, but it documents which ones are.)

@krinkle Wow, this is neat! And it actually has a page for Pinafore with screenshots and everything. That's pretty cool. appsco.pe/app/pinafore

Sign in to participate in the conversation
Mastodon for Tech Folks

This Mastodon instance is for people interested in technology. Discussions aren't limited to technology, because tech folks shouldn't be limited to technology either!