Revise backup format to not consist of serialized Java objects #381
Comments
juleskers
added a commit
to juleskers/Aegis
that referenced
this issue
Jul 2, 2024
Include the '(1.x)' qualifier directly in the import-source selection dropdown to avoid raising false expectations. See also: - beemdevelopment#1204, where the 1.x-hint was introduced - beemdevelopment#1084: tracking issue for 2.x support - freeotp/freeotp-android#381 FreeOTP-issue to reconsider the brittle serialised java format used by 2.x
This was referenced Jul 3, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Today I took a quick look at adding support for importing FreeOTP 2 backup files to Aegis. To my surprise, the backup file starts with:
I didn't spend any time trying to find a gadget chain to exploit this. Perhaps there is none. But I'd like to not have to worry about a maliciously crafted FreeOTP backup file potentially executing arbitrary code in the context of Aegis' app process.
I'd like to suggest revising the backup format to not consist of serialized Java objects, but to use something like JSON instead.
The text was updated successfully, but these errors were encountered: