is the Curse App UI supposed to allow users to tinker with things in the UI?
i accidentally pressed F12 in Curse Client and the Chromium Development Tools panel popped open... looks like the Curse App main UI is based on the Chromium browser...
looking into it.. i see that Electron is the actual interface engine, and that is based on Chromium mixed with some other "soup" ingredients.... so...was F12 development tools supposed to be available to regular users?
i just realized that Curse App is accessing my Yubikey at startup... the access LED on my key lights up for about 1 second when Curse App starts up and then turns off. This does not happen when Chrome starts up.
why is the Curse App looking at my U2F security key?
i just realized that Curse App is accessing my Yubikey at startup... the access LED on my key lights up for about 1 second when Curse App starts up and then turns off. This does not happen when Chrome starts up.
why is the Curse App looking at my U2F security key?
I wonder if this is related to how every time I'd start the Curse App on my laptop it'd engage the CD drive, like it was checking it for anything to open.
For what it's worth, the U2F spec is written in such a way that user interaction is required to do anything useful (see image). There's not a lot a malicious application could do unless you pressed the button to authorise an action. With that said, I don't think Electron supports U2F.
With regard to the dev tools, they've been available for a while (and via a command line switch,--openDevTools=True IIRC). It's not really a security issue and it's well known that the Curse app is built with electron. All you're going to be able to change is your own client side view of things - all data etc is retrieved from/sent to a set of central service APIs.
I can't see that they do any harm being available - and in any case there's nothing stopping you manually visiting the embedded web-server in your favourite browser once you know what port it's listening on :P
the dev tools.. i was a bit surprised about them being available without a command line switch to enable them, but did not consider it a security problem.
also, i was not worried about the key's security as i already knew it requires physical user interaction with the key's capacitive touch sensor. I was more curious about the possible upcoming features in the Curse App, since the app is looking at the key that probably means that communication support with the key is there, ready to be used soon (^TM).
so... does that mean that the Curse network is preparing to deploy support for 2-factor authentication with FIDO U2F anytime soon?
(hopefully it does.)
- Chrome and Opera (chromium-based) already support U2F;
- Firefox already has support via a browser add-on and is scheduled to have full native support for U2F in Q1 or Q2 2017 ( https://wiki.mozilla.org/Security/CryptoEngineering ). Firefox already has a native FIDO U2F v1.1 JS API (but without USB comms) present in the current branch, but is not enabled unless you turn it on via about:config... since the browser doesn't support native USB communications yet, the API is only useful for testing the framework so far, with a built-in software token ... Mozilla is still working on this.
- Microsoft's browsers are a big unknown... they keep promising it but without announcing even a rough time-frame for it.
and another update: i now see that the BattleNet desktop app is also causing the LED of the key to blink briefly when i start the app... i wonder if they're also preparing to deploy U2F.
edit: opened a ticket with Blizzard and asked about the LED and possible plans for U2F... waiting for a reply. /edit
and... i got the most useless ticket reply from Blizzard that i ever saw... i already knew about the system statistics being gathered... but i didn't think they'd dig in down to activating the LED on the key and had hoped for more - that they are preparing the app for FIDO U2F... instead they basically told me to RTFM and ask their legal department via SNAIL MAIL if i want to know more :(
*sigh* there go my hopes for U2F support in BattleNet ... smashed to dust. i guess the same system-statistics-gathering applies to the Curse App too... no U2F 2-factor auth is coming either?
As stated in our Terms of Use which you agreed when you opened the account
"Blizzard may transfer software program files to the System, including a program that will collect and send Blizzard CPU, RAM, operating system, video card, and sound card information from the System. "
You can read more here
http://eu.blizzard.com/en-gb/company/legal/eula.html
Especially "4. Consent to Monitor." part.
Should you need more information, please contact our legal department
Blizzard Entertainment SAS
ATTN: Legal Department
145 rue Yves le Coz
78000 Versailles
France
Customer Support is unable to provide you with more information on this.
Since this forum is intended for feedback on the WoW sites, I'm going to go ahead and lock this thread. If you'd like to discuss any App features, or just give feedback, you can do so by visiting this link: https://curse.com/invite/SatsukeDarkskyGormaul
Rollback Post to RevisionRollBack
To post a comment, please login or register a new account.
is the Curse App UI supposed to allow users to tinker with things in the UI?
i accidentally pressed F12 in Curse Client and the Chromium Development Tools panel popped open... looks like the Curse App main UI is based on the Chromium browser...
looking into it.. i see that Electron is the actual interface engine, and that is based on Chromium mixed with some other "soup" ingredients.... so...was F12 development tools supposed to be available to regular users?
and problem #2...
i just realized that Curse App is accessing my Yubikey at startup... the access LED on my key lights up for about 1 second when Curse App starts up and then turns off. This does not happen when Chrome starts up.
why is the Curse App looking at my U2F security key?
For what it's worth, the U2F spec is written in such a way that user interaction is required to do anything useful (see image). There's not a lot a malicious application could do unless you pressed the button to authorise an action. With that said, I don't think Electron supports U2F.
With regard to the dev tools, they've been available for a while (and via a command line switch,--openDevTools=True IIRC). It's not really a security issue and it's well known that the Curse app is built with electron. All you're going to be able to change is your own client side view of things - all data etc is retrieved from/sent to a set of central service APIs.
I can't see that they do any harm being available - and in any case there's nothing stopping you manually visiting the embedded web-server in your favourite browser once you know what port it's listening on :P
the dev tools.. i was a bit surprised about them being available without a command line switch to enable them, but did not consider it a security problem.
also, i was not worried about the key's security as i already knew it requires physical user interaction with the key's capacitive touch sensor. I was more curious about the possible upcoming features in the Curse App, since the app is looking at the key that probably means that communication support with the key is there, ready to be used soon (^TM).
so... does that mean that the Curse network is preparing to deploy support for 2-factor authentication with FIDO U2F anytime soon?
(hopefully it does.)
- Chrome and Opera (chromium-based) already support U2F;
- Firefox already has support via a browser add-on and is scheduled to have full native support for U2F in Q1 or Q2 2017 ( https://wiki.mozilla.org/Security/CryptoEngineering ). Firefox already has a native FIDO U2F v1.1 JS API (but without USB comms) present in the current branch, but is not enabled unless you turn it on via about:config... since the browser doesn't support native USB communications yet, the API is only useful for testing the framework so far, with a built-in software token ... Mozilla is still working on this.
- Microsoft's browsers are a big unknown... they keep promising it but without announcing even a rough time-frame for it.
and another update: i now see that the BattleNet desktop app is also causing the LED of the key to blink briefly when i start the app... i wonder if they're also preparing to deploy U2F.
edit: opened a ticket with Blizzard and asked about the LED and possible plans for U2F... waiting for a reply. /edit
and... i got the most useless ticket reply from Blizzard that i ever saw... i already knew about the system statistics being gathered... but i didn't think they'd dig in down to activating the LED on the key and had hoped for more - that they are preparing the app for FIDO U2F... instead they basically told me to RTFM and ask their legal department via SNAIL MAIL if i want to know more :(
*sigh* there go my hopes for U2F support in BattleNet ... smashed to dust. i guess the same system-statistics-gathering applies to the Curse App too... no U2F 2-factor auth is coming either?
Since this forum is intended for feedback on the WoW sites, I'm going to go ahead and lock this thread. If you'd like to discuss any App features, or just give feedback, you can do so by visiting this link: https://curse.com/invite/SatsukeDarkskyGormaul