In an intriguing cybersecurity tale, a tech enthusiast discovered a severe vulnerability in TodeDesktop’s platform. Initially investigating AI text editor Cursor’s installer connection to unknown domain ‘todesktop,’ they uncovered its link as an Electron app bundler service and SDK provider for various apps.
Delving deeper into the issue, they stumbled upon Firebase usage in TodeDesktop’s applications, leading them to exploit a weak point within their infrastructure. With sourcemaps available, reconnaissance revealed an unsecured collection named ‘temporaryApplications,’ listing app names but not much sensitive data at first glance.
The researcher then discovered that most deployment and logic processes occurred through the terminal using npm package ‘@todektop/cli.’ Installing it themselves allowed further exploration of its capabilities, including access to sourcemaps for deeper analysis.
Investigating further into ‘getSignedURL’ within Firebase Cloud Functioning, they found an arbitrary S3 upload vulnerability but lacked a suitable target path initially. However, their persistence paid off when they discovered how to hijack the deployment pipeline via a postinstall script with a simple reverse shell payload—successfully gaining access to critical systems.
Upon navigating through these containers and decrypting encrypted files using provided code, shockingly, they found stored secrets such as Apple IDs, remote signing keys, and an HSM’s credentials. This discovery highlighted significant security concerns within the platform since it allowed attackers to deploy updates across various apps instantly upon restarting them.
With these privileges in hand, potential impact could reach millions of users worldwide who use affected applications like ClickUp, Cursor (now switched), Linear, and Notion Calendar—primarily targeting tech professionals but potentially extending further depending on app adoption rates.
Quick action led to contacting TodeDesktop’s owner via Signal messaging where swift fixes were implemented by separating signing processes from main containers with user code logic into privileged sidecars. The company responded positively, compensated for efforts, and updated their blog regarding the incident transparently.
Although this type of security breach is commonplace in today’s digital landscape, TodeDesktop’s prompt response earned praise from all involved parties—showing how responsible handling can mitigate damage even after vulnerabilities arise. Ultimately, the researcher received $5k for their findings but later got an additional $50K from Cursor as appreciation for their efforts in exposing this critical flaw.
Complete Article after the Jump: Here!