
Tell HN: Dropshare.app also runs a web server in localhost:34344 - guessmyname
A fairly simple menu bar application available for macOS called DropShare.app [1] allows you to upload files to a remote server <i>(3rd-party like Dropbox, Google Drive, or personal like your own AWS EC2 instance via SSH)</i> and also manage these files once the upload is complete <i>(delete, share, etc)</i>. After the security vulnerability discovered in Zoom [2] I decided to inspect all the apps that I have currently installed, and found that DropShare is also running an unprotected web server that any other app can access, and with more potential to make damage as it gives you full access to upload and delete files to&#x2F;from the server.<p><pre><code>  $ strings &quot;&#x2F;Applications&#x2F;Dropshare 5.app&#x2F;Contents&#x2F;PlugIns&#x2F;Share.appex&#x2F;Contents&#x2F;MacOS&#x2F;Share&quot; | grep 34344
  http:&#x2F;&#x2F;localhost:34344&#x2F;status
  http:&#x2F;&#x2F;localhost:34344&#x2F;connections
  http:&#x2F;&#x2F;localhost:34344&#x2F;upload

  $ curl -i -XPOST &quot;http:&#x2F;&#x2F;localhost:34344&#x2F;upload&quot;
  &gt; HTTP&#x2F;1.1 200 OK
  &gt; Cache-Control: no-cache
  &gt; Content-Length: 17
  &gt; Content-Type: application&#x2F;json
  &gt; Connection: Close
  &gt; Server: Dropshare4-Interface
  &gt; Date: Wed, 10 Jul 2019 06:15:57 GMT
  &gt; 
  &gt; {&quot;success&quot;:false}

  $ curl -i -X GET &quot;http:&#x2F;&#x2F;localhost:34344&#x2F;connections&quot;
  &gt; HTTP&#x2F;1.1 200 OK
  &gt; Cache-Control: no-cache
  &gt; Content-Length: 17
  &gt; Content-Type: application&#x2F;json
  &gt; Connection: Close
  &gt; Server: Dropshare4-Interface
  &gt; Date: Wed, 10 Jul 2019 06:16:14 GMT
  &gt; 
  &gt; {&quot;success&quot;:false}

  $ curl -i -X GET &quot;http:&#x2F;&#x2F;localhost:34344&#x2F;status&quot;
  &gt; HTTP&#x2F;1.1 200 OK
  &gt; Cache-Control: no-cache
  &gt; Content-Length: 38
  &gt; Content-Type: application&#x2F;json
  &gt; Connection: Close
  &gt; Server: Dropshare4-Interface
  &gt; Date: Wed, 10 Jul 2019 06:16:22 GMT
  &gt; 
  &gt; {&quot;version&quot;:&quot;5.1.8 (5094)&quot;,&quot;ask&quot;:false}
</code></pre>
[1] https:&#x2F;&#x2F;dropshare.app&#x2F;<p>[2] https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20387298
======
tjosten
Hi there,

Dropshare developer here.

I’d like to quickly clarify that the initial statements are untrue. The
Webserver is used as communication bridge between the Share Extension and the
app. It only accepts requests with a signature. It cannot delete, share or
else manage any uploaded files, and has no code that could potentially cause
any harm on your server (e.g. by executing things). It only accepts file urls
from your local machine to be uploaded and again, only with a properly signed
request.

It is unfair to compare this to the Zoom case since there is no potential
vulnerability and other than you explain, there is no danger involved with
someone making damage to files on your server or whatsoever.

Best, Timo

P.S.: Of course in case you think you did find indeed a vulnerability I am not
aware of, please get in touch via support@getdropsha.re according to
responsible disclosure.

------
gtsteve
I've been considering doing something like this for my company, as some
activities cannot be done on a web browser. My plan was that when the client
is associated with the server via OpenID Connect, a public key is transferred
to the client. The server will then sign all commands with its public key and
timestamp so the client knows they are genuine. (Can I get HN's opinion on
this design please?)

So, I don't think it's strictly necessary that when you find something like
this it indicates some sort of vulnerability, although you are trusting the
skill of third-party developers.

That said, if this is a vulnerability I'd first try getting in touch with
their security team. If you have discovered a vulnerability you should give
them a fair chance to patch it first before reporting it further, as you might
be giving bad guys ideas.

------
deca6cda37d0
How do you inspect apps to find if they are running local servers?

~~~
pietroglyph

      lsof -i
    

Works on GNU/Linux and should also work on macOS.

~~~
o-__-o
lsof -iPn |grep LISTEN

