Hacker News

Tell HN: Dropshare.app also runs a web server in localhost:34344

A fairly simple menu bar application available for macOS called DropShare.app [1] allows you to upload files to a remote server (3rd-party like Dropbox, Google Drive, or personal like your own AWS EC2 instance via SSH) and also manage these files once the upload is complete (delete, share, etc). After the security vulnerability discovered in Zoom [2] I decided to inspect all the apps that I have currently installed, and found that DropShare is also running an unprotected web server that any other app can access, and with more potential to make damage as it gives you full access to upload and delete files to/from the server.

  $ strings "/Applications/Dropshare 5.app/Contents/PlugIns/Share.appex/Contents/MacOS/Share" | grep 34344
  http://localhost:34344/status
  http://localhost:34344/connections
  http://localhost:34344/upload

  $ curl -i -XPOST "http://localhost:34344/upload"
  > HTTP/1.1 200 OK
  > Cache-Control: no-cache
  > Content-Length: 17
  > Content-Type: application/json
  > Connection: Close
  > Server: Dropshare4-Interface
  > Date: Wed, 10 Jul 2019 06:15:57 GMT
  > 
  > {"success":false}

  $ curl -i -X GET "http://localhost:34344/connections"
  > HTTP/1.1 200 OK
  > Cache-Control: no-cache
  > Content-Length: 17
  > Content-Type: application/json
  > Connection: Close
  > Server: Dropshare4-Interface
  > Date: Wed, 10 Jul 2019 06:16:14 GMT
  > 
  > {"success":false}

  $ curl -i -X GET "http://localhost:34344/status"
  > HTTP/1.1 200 OK
  > Cache-Control: no-cache
  > Content-Length: 38
  > Content-Type: application/json
  > Connection: Close
  > Server: Dropshare4-Interface
  > Date: Wed, 10 Jul 2019 06:16:22 GMT
  > 
  > {"version":"5.1.8 (5094)","ask":false}
[1] https://dropshare.app/

[2] https://news.ycombinator.com/item?id=20387298

36 pointsguessmyname posted 4 months ago6 Comments
6 Comments:
tjosten said 4 months ago:

Hi there,

Dropshare developer here.

I’d like to quickly clarify that the initial statements are untrue. The Webserver is used as communication bridge between the Share Extension and the app. It only accepts requests with a signature. It cannot delete, share or else manage any uploaded files, and has no code that could potentially cause any harm on your server (e.g. by executing things). It only accepts file urls from your local machine to be uploaded and again, only with a properly signed request.

It is unfair to compare this to the Zoom case since there is no potential vulnerability and other than you explain, there is no danger involved with someone making damage to files on your server or whatsoever.

Best, Timo

P.S.: Of course in case you think you did find indeed a vulnerability I am not aware of, please get in touch via support@getdropsha.re according to responsible disclosure.

gtsteve said 4 months ago:

I've been considering doing something like this for my company, as some activities cannot be done on a web browser. My plan was that when the client is associated with the server via OpenID Connect, a public key is transferred to the client. The server will then sign all commands with its public key and timestamp so the client knows they are genuine. (Can I get HN's opinion on this design please?)

So, I don't think it's strictly necessary that when you find something like this it indicates some sort of vulnerability, although you are trusting the skill of third-party developers.

That said, if this is a vulnerability I'd first try getting in touch with their security team. If you have discovered a vulnerability you should give them a fair chance to patch it first before reporting it further, as you might be giving bad guys ideas.

deca6cda37d0 said 4 months ago:

How do you inspect apps to find if they are running local servers?

pietroglyph said 4 months ago:

  lsof -i
Works on GNU/Linux and should also work on macOS.
o-__-o said 4 months ago:

lsof -iPn |grep LISTEN

fyftggfki said 4 months ago:

these emails desserve more junk polytech-agral4@listes.upmc.fr polytech-ei-se4@listes.upmc.fr polytech-main4@listes.upmc.fr polytech-mtx4@listes.upmc.fr polytech-rob4@listes.upmc.fr polytech-st4@listes.upmc.fr polytech-ei-2I4@listes.upmc.fr