Software contains remote code execution vulnerability via insecure autoupdate mechanism

[sneak]

Expected Behavior

The code I downloaded is the code that runs on my machine, and remote attackers cannot change it without permission.

Current Behavior

The software automatically downloads arbitrary code from a remote server without consent, and runs it, granting control of the local system to anyone who controls the update server.

The person in control of the update server can then use this remote code execution ability to download endpoint keys, message plaintexts, etc.

Possible Solution

Require affirmative consent for autoupdates, default autoupdates to off.

Steps to Reproduce

Run the bridge software.

Version Information

current: da76784

Context (Environment)

I was running the bridge in a docker container and it downloaded new unchecked code without consent which ran on the next launch.

Detailed Description

Autoupdates must be approved by the user before being installed.

Possible Implementation

Signal does it by requiring a click before replacing the code:

signalapp/Signal-Desktop#4578

[sneak]

Note that between this and #495 I am now convinced that the Proton developers do not respect my privacy or my rights to my own computer, and I'm going to be migrating all of my domains away from Protonmail. It's simply not worth the hassle to maintain my own Dockerfile to patch out these insane defaults.

[ashrude]

I appreciate what you're trying to do but how about instead of attacking proton and shenxn, why not focus on real issues, or next time bring it up without being so hostile.