Security Vulnerability: Blockstack Browser for Linux Users Should Upgrade Protocol Handler

We recently discovered a bug in our Linux blockstack:// protocol handler which would allow a link, if approved by the user, to escape the authentication script. This issue has been corrected in our Linux install script, available here:

https://github.com/blockstack/blockstack-browser/releases/download/v0.29.3/Blockstack-for-Linux-v0.29.3.sh

We recommend downloading and running that script with the following commands:

$ chmod +x Blockstack-for-Linux-v0.29.3.sh
$ ./Blockstack-for-Linux-v0.29.3.sh install-protocol-handler

This will remove the previous protocol handler, and install one with the bug corrected.

If you wish to simply remove the protocol handler, run the following:

$ rm ~/.local/share/applications/blockstack.desktop

How this bug occurred

The string replacement and quoting scheme used by Linux .desktop protocol handlers differs from bash quoting in a few important ways, allowing even quoted strings within the protocol handler to escape the quotes. We fixed this by separating the protocol handler and the script used to parse the request.

How we’ll prevent these bugs in the future

No two security issues are ever identical, so while we have addressed this one, it doesn’t necessarily speak to others. Blockstack is an open-source project, so our code is open and visible to any community members to inspect and audit, and we encourage community members to help support the project by doing that. In addition to these community member reviews, Blockstack PBC performs code audits with external reviewers (in the past two years, we’ve done 2 reviews a year) and supports a bug bounty program (https://hackerone.com/blockstack), both of which are ways we get external eyes on our codebase to try and find these kinds of issues.

5 Likes