Hello. This is my first time using balena etcher, so please bear with me. Every time I try to flash something, BalenaEtcher sends a password prompt, pic given here. I enter the password to my computer, but it doesn’t accept it. 3 more times, and it stops the process entirely.
Balena acquiesces Mac security in a weird funky hack way unlike typical Mac apple which can prompt for an administrative credential and escalate themselves. I’ve seen virtually no applications that prompt for credentials in the way Balena does
If you provide a standard user, Balena fails with an error related to not being able to spawn processes
If you are ‘2’ then you also cant do “sudo su -”
Huge pain every time I need to use Balena I have to remember whatever my workaround was to this bad security prompt / security escalation it performs.
No way I’m providing your App (or maybe even you - who can tell?) with my sudo pass. Apple’s API warns that this approach must be never trusted and instead, the access request should pass through them. So as long as Apple doesn’t trust you, I also don’t.
From your code, the GUI spawns a helper, then talks to it over WebSocket. The client side even has comments saying authentication is missing:
lib/gui/app/modules/api.ts:100-101 → TODO: use the path as cheap authentication
lib/util/api.ts:67 → same TODO
The privileged helper binds a WebSocket server here:
lib/util/api.ts:63-70
and it accepts commands like:scan, write, sourceMetadata, cancel, skip, terminate from incoming WebSocket messages:
lib/util/api.ts:121-129
lib/util/api.ts:166-209
lib/util/api.ts:220-257
But there is no actual auth check there. You even generate an ETCHER_SERVER_ID in the parent (lib/gui/app/modules/api.ts:195-197), but in the helper it is commented out and unused (lib/util/api.ts:54-56, lib/util/api.ts:65). So we have a root-capable helper controlled over localhost with no real authentication.
If you found an actual exploit, please reach out to security at balena.io for a safe disclosure.
If it’s just concern about the architecture, I agree with you. I wrote that todo as part of bigger project that been put on the back-burner, I’ll have another look.