Critical Vulnerability Found in ToDesktop Build Container
2025-02-28
A security researcher, investigating the installer for the AI text editor Cursor, uncovered a critical vulnerability in ToDesktop, the Electron app bundler service it relies on. Through reverse engineering and exploitation, the researcher gained complete control of ToDesktop's build container and access to its Firebase database, including sensitive keys for signing and uploading applications. This allowed for the potential deployment of malicious updates to millions of users, resulting in Remote Code Execution (RCE). ToDesktop responded swiftly, patching the vulnerability and acknowledging the researcher's contribution. The incident highlights the ongoing need for vigilance and improvement in software supply chain security.