The author stumbled upon the todesktop website while searching for the Cursor AI text editor installer. They discovered that the confusing pop-up was actually managed by todesktop, not Cursor. Intrigued, they investigated further and found an insecure collection on Firebase, as well as an arbitrary S3 upload vulnerability via a firebase cloud function. Exploiting this, they were able to hijack the deployment pipeline and gain access to secrets stored in the container, including a hardcoded Firebase admin key. They successfully deployed an auto update to their app, gaining remote code execution. The impact of this vulnerability could have affected millions of people using various applications. The author responsibly disclosed the vulnerability to todesktop, who promptly fixed the issue and compensated them for their efforts. The incident showcases the importance of companies’ response to security incidents.
https://kibty.town/blog/todesktop/