-
Notifications
You must be signed in to change notification settings - Fork 258
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Insecure GitHub login! #561
Comments
Gitify is an electron app - basically Chromium + Node. The window that opens is an electron window (running Chromium) - another window of the Gitify app. Your credentials are not shared with any third party application, they always stay inside Gitify. |
Could it just open my browser, where I am already logged in? The electron login popup can't use my password manager and it can't use WebAuthN for security-key based login. Most other apps just do an OAuth2 workflow login to get the login token and redirect it to an app URL. |
This blocks us from using Gitify without a personal access token. We have SSO setup for Github. When I try to authorize for an organization I can enter usernam and password on our companies login page. The next step would be to enter the 2FA code but Gitify just closes the window. So I can not authorize for my orgs. |
I've started on a fix for this in #654. Help is welcomed. |
closing as covered by #485 |
On first start you have to login to you GitHub account.
But the login comes not from the standard browser.
https://prnt.sc/8HUPdBzRjiqs
So I do not know from where the page is, looking like GitHub login, nor where the data is sent.
Any fraudulent app uses such data scam page.
I have to entrust my highly sensitive credentials to an unknown/untrusted third-party application? This is not acceptable. (and also not necessary)
Solution:
Open the GitHub authentication request in the default browser. In the trusted default browser, you are already logged in, so no transfer of personal credentials is usually required. This ensures that no third-party application knows the credentials.
The text was updated successfully, but these errors were encountered: