XcodesOrg
Security Risk: Arbitrary Download
Describe the bug I haven't created a proof-of-concept for the bug yet, but looking at some files, it appears that any unsandboxed application is able to modify the json that Xcodes saves offline to load on launch. They could then change the download url to be a modified Xcode or something else entirely allowing Xcodes to load malware onto the system without a user's knowledge.
I would have to look a lot deeper, but I wonder if a malformed file could also lead to privilege escalation via the helper tool.
@MattKiazyk I don't want to scare anyone or publish too many details publicly without a fix. How should we proceed? Am I wrong? Should I make a proof of concept for the downloading update?
I have confirmed that it is possible to inject other urls and xcodes will just accept it