In-app Navigation and IPC Sender Verification

[masood]

Summary: Thank you for designing the Helios Launcher Desktop Application. The application does a great job of handling account and mod management. We list pointers of concern below that can help make the application more secure.

1. [In-app Navigation]: While the application has checks on the did-navigate event (e.g., for Microsoft Auth [Link]), it can benefit from limiting a will-navigate event before any navigation to prevent loading and redirecting to third-party links within the app. [Link]
2. [IPC Messages]: Since the application uses custom IPC, it will be helpful to verify the sender of IPC messages before handling and responding to them in IPC Main. While each handler currently receives the sender from the event for each of the arguments, they are not verified for all messages. [Link]

Thank you!

Platform(s) Affected: MacOS, Windows, Linux

– Mir Masood Ali, PhD student, University of Illinois Chicago Mohammad Ghasemisharif, PhD Candidate, University of Illinois Chicago Chris Kanich, Associate Professor, University of Illinois Chicago Jason Polakis, Associate Professor, University of Illinois Chicago