back to article It's 2020 so not only is your mouse config tool a Node.JS Electron app, it's also pwnable by an evil webpage

Earlier this year, peripheral maker Kensington patched its desktop software to close a vulnerability that could have been exploited by malicious websites to quietly hijack victims' computers. Now the programmer who found this remote-code-execution hole, and reported it to the manufacturer, has identified a similarly serious …

  1. David Austin

    "It’s relatively easy for software developers to use and it’s rather difficult to secure."

    Well.. that's a depressing sentence to read. Sounds like they've set novice developers up to fail with that one.

  2. Anonymous Coward
    Anonymous Coward

    I can't help but think that something is wrong with modern software design, when a simple mouse driver config editor needs to have a built in webserver.

    1. Flocke Kroes Silver badge

      And further back in the chain...

      Mouse config should be done in the window manager / desktop environment so it works the same way for any mouse not just those badged by a particular wholesaler.

      1. Dave 126 Silver badge

        Re: And further back in the chain...

        Ideally, yeah, and that would put pressure on the OS developer to implement the genuinely useful features that are currently present in, for example, Logitech's mouse config software. Maybe it's moving that way - see Microsoft's recent efforts in defining the way a trackpad should work (as opposed to tiny track pads many laptops once had). Apple of course has greater control over trackpads (usually very good) and mice ( to a sometimes note mixed reception)

        Until that day, however, some users derive great benefit from the extra features and options that only found in the mouse vendors' config suites. Other users will use devices that aren't mice ( graphics tablets, accessibility devices). Gamers will always delight in a bespoke config suite.

        1. ovation1357 Bronze badge

          Re: And further back in the chain...

          "Microsoft's recent efforts in defining the way a trackpad should work"

          You mean like how, quite recently on an old Acer laptop, My Ubuntu 18.04 live USB environment quite happily supported full functionality including scrolling edges on the built in trackpad yet the built in Windows 10 driver has no support for scrolling using the trackpad and all my googling efforts turned up was that it's older hardware so there's no driver support and tough luck.

          Microsoft could include decent support for older kit but they don't care.

          Their idea of defining how a trackpad should work would probably include the addition of a Windows button on every mouse, and built in obsolescence that would render hardware older than a 5 years to be unusable. No thanks

    2. LDS Silver badge

      And a 100+ MB footprint...

      Unluckily the most followed process today is "Fashion Driven Development" (its acronym is FADD)

    3. Pascal Monett Silver badge
      WTF?

      I totally agree with you. What is this madness ? You need a webserver to manage your mouse configs ?

      Is this another case of a job being given to the summer intern who just finished a web development course ?

      Get your ducks in a row and make a proper DLL in C++ to do job.

      Oh, right, that means you're actually going to have to learn a proper programming language. Sorry.

      1. Paul Hovnanian Silver badge

        "Get your ducks in a row and make a proper DLL"

        You meant to say .so library. Right?

    4. Mage Silver badge
      Mushroom

      Absolute Fail

      1) A scripting language when we have had real ones for 40 years.

      2) A web server other than a proper one to actually serve web pages on the Internet or Intranet.

      They should be banned from distributing software.

      This is crazy on so many levels.

      You also don't need lured. I use uMatrix because companies such as CNN and the BBC have served adverts with Malware. Google doesn't seem to really care.

      Adverts need to be an image served from the main page's domain with simply an ordinary clickable link. Or links. A client side pure HTML image map is OK.

      Also web sites using 3rd party code loaded a page load rather than having their own local checked copy is a privacy and security fail.

      BUT A STUPID DESKTOP APPLICATION!!!!!!

      1. dajames Silver badge

        Re: Absolute Fail

        Adverts need to be an image served from the main page's domain with simply an ordinary clickable link. Or links. A client side pure HTML image map is OK.

        Duly upvoted!

        Allowing active content in adverts that are shown to the user whether without the user's consent is an atrocity. A simple text-and-image(s) panel with clickable link(s) should suffice.

  3. DrXym Silver badge

    I like Electron but...

    ...using it for some lousy mouse configuration app seems like massive overkill. Electron is Chromium and NodeJS lashed together just so somebody can adjust their mousewheel sensitivity.

    The use of browser engines is so pervasive in some applications (e.g. most game launchers like Steam, Epic etc.) that I wouldn't be surprised that people unwittingly have 10 or 20 of them installed on their machine bloating out the disk.

    1. Evil_Goblin

      Re: I like Electron but...

      I haven't installed the "configuration apps" since I bought a Gravis gamepad in the 90s, and found it worked better without it.

      For example I have a Logitech MX Master 2S here running perfectly with no utilities etc installed, all the buttons/features that I know about/need all work, what am I missing out on that merits the install?

      Genuine question by the way, not an "ooooh look at me" post.

      1. Dave 126 Silver badge

        Re: I like Electron but...

        If you works for you, that's grand. I've not used my MX Master mouse without the Setpoint software, so in a way my ignorance is the mirror image of yours! :)

        That said, the Logitech Setpoint software for Windows includes a clone of OSX's 'Exposé' task-switcher which I value greatly and map to one of the mouse's many buttons. It's only selectable if Setpoint detects you're using an MX mouse, oddly.

        Beyond that, I've only used the software to configure buttons, which I assume Windows can do natively. There's also an option in Setpoint to have different button configs for different applications, and I attempted to map keyboard keys to various mouse buttons to streamline my Civ 5 experience (turns out I was playing it wrong).

        I don't need any software to tell me the mouse's battery level, since the mouse has LEDs for this purpose.

        I'm not really a gamer, but someone who is might have a different response to your question.

      2. DrXym Silver badge

        Re: I like Electron but...

        I think it's just a symptom that some manufacturers think having their software look & feel like other software is for squares. This was always an issue in Windows mostly with software like drivers, antivirus and media players. We'd see all kinds of terrible UIs with windows with rounded corners, non-standard controls, brushed metal, horrible fonts etc.

        In the past they might have rendered their weird GUI in C++ with Win32 APIs, but these days they'll use Qt / QML or they'll wrap a browser to do it. Qt / QML costs money for commercial use so I assume many are cheaping out by using Electron. And so it is they write some glorified dialog box in JS, HTML and CSS and users suffer a massive install and runtime for it. And clearly in some cases it comes with a free exploit on the side.

        Anyway, I much prefer it when Windows supports a device out of the box because there is no need to deal with this BS. I'm sick of bloated drivers, or worse, ones that run constantly with embedded nagvertisements, spyware, e.g. many printer drivers.

    2. fidodogbreath Silver badge

      Re: I like Electron but...

      Obligatory xkcd

      1. ibmalone Silver badge

        Re: I like Electron but...

        Funny, I was expecting this one, or maybe this one, or it might have been this one.

        1. fidodogbreath Silver badge
          Pint

          Re: I like Electron but...

          Good choices, all. Especially the first one.

  4. Wade Burchette Silver badge

    The first rule of programming

    The first rule of programming should always be to assume someone will abuse the system. So you must always think about how the software can be hacked and what can happen if it was hacked. You must work around security, and never assume nobody will bother to hack the software.

  5. 2+2=5 Silver badge
    Unhappy

    Hard of Hardening

    > “Presumably Kensington didn’t add authentication because they didn’t expect anything to try to talk to the server other than their own, trusted UI.”

    Developer: There's the proof of concept working... [and goes on to demo the functionality]

    Product owner: That's great, we'll GM on Friday.

    Developer: But there's been no volume testing, compatibility testing, nor security hardening?

    Product owner: That's great, we'll GM on Friday.

  6. jimmy-o

    It sounds like a case of "when all you have is a hammer, everything looks like a nail": going for the bad solution that they know, rather than doing a quick search online to see if there are any better options out there. Or it was a stack decision forced onto the developers by management.

    For example, Qt Quick is an excellent, mature framework designed for doing secure cross-platform JavaScript desktop apps. Maybe Electron can do it properly too, without the local server, for all I know.

    1. Mage Silver badge
      Facepalm

      Re: secure cross-platform JavaScript desktop apps.

      Oxymoron.

      Real production applications of any kind for local execution should not be written in javascript, or indeed anything else really intended to help the functionality of a website. They should use a proper programming language, the minimum being the kind compiled to an intermediate code.

  7. Elledan Silver badge

    Welcome to the cd Electron app

    And here I was thinking that the nightmare scenario of cd, ls, ln and other CLI tools was just an exaggeration and could never happen.

    After config tools and utilities switching to Electron/JS, might we soon see the successor to systemd: NodeD? Or maybe NodeOS will suddenly become the dominant Linux distribution.

    Is this modern software development now?

    1. Anonymous Coward
      Anonymous Coward

      Re: Welcome to the cd Electron app

      I fear so. There is a sustained theme of inappropriate choices of language for many projects. Systemd is of course a horrible pile of manure in concept, execution and success, but to cap it all off they chose to write it in C. Now C is a systems language, but systemd is not an OS kernel and might have used something other than the language that is hardest to get things right in. Rust would nowadays be a far superior option (there's even just such a project here), but back then even just using C++11 (or even older C++ and Boost) with smart pointers would have been viable and a whole lot more straightforward than C.

      I've seen various many projects in my time where the overriding reason to pick a particular language was "because it'll be fun", not important reasons associated with efficiency, support, etc.

      My 2 cents worth for the modern era: systems and native code: Rust. Web (if we must): Typescript. There's no real place for Java, C# I think now, Rust has most of the same benefits, an expanding and well thought out ecosystem, and doesn't need a runtime. Anyone who mentions "dynamic languages like Python" ought to be shot.

    2. ibmalone Silver badge

      Re: Welcome to the cd Electron app

      Probably time to burn it all to the ground and go back to bashing rocks.

  8. Rilik
    Facepalm

    Electron, as stated before, is a "developers first, users later" framework. It allows rapid development thanks to its reliance on such an accessible language as Javascript.

    End of the story. It's not for elegant applications, it's not for secure applications. It's the product of the ship fast fix later (maybe) mentality the folks in silicon Valley gifted us with.

  9. Anonymous Coward
    Anonymous Coward

    Sorry I’m a bit late, had a terrible time…

    but... if it's Electron, and has its own HTML window, why did they need a separate web server? and that running always?

    Sounds like a bad plan, leading to "All sort of things cropping up at the last moment."

    1. ovation1357 Bronze badge

      Re: Sorry I’m a bit late, had a terrible time…

      Holy Zarquon's signing fish! You're right

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021