balena-wpe icon indicating copy to clipboard operation
balena-wpe copied to clipboard

Published 20 hours ago verified publisher icon balena-io-experimental

Tohora allows anyone to change the URL

Open idoodler opened this issue 5 years ago • 3 comments

I am working on some info screens for our small flats we rent out. I noticed that you recently added Tohora which allows anyone to change the URL of the WebView to any arbitrary URL without authentication.

Anyone bored teenager could "hack" into the system and display some unwanted pages.

I would recommend to actively opt-in to Tohora. There also isn't a single mention in the readme that this service exists.

idoodler avatar Jul 23 '19 14:07 idoodler

ping

idoodler avatar Sep 13 '19 19:09 idoodler

ping

idoodler avatar Sep 29 '19 08:09 idoodler

You could remove the port mapping so the port is no longer accessible.

https://github.com/balenalabs/balena-wpe/blob/8b8e21fcb592d96c84eba8f1ea302e89f5f75322/docker-compose.yml#L8-L9

Chrissi2812 avatar Feb 05 '20 13:02 Chrissi2812