Xojo Conferences

« MBS Xojo / Real Studi… | Home | Three weeks till year… »

Security Hole in every Xojo / RealStudio app

There is a big issue in the Xojo and Real Studio runtime. It will load at startup any dylib in the frameworks folder.

Below you can download a empty dylib. This is a plugin library for Xojo/Real Studio for Mac which does nothing but writing a message to Console.app. You can drop it in any Xojo or Real Studio made app (Carbon or Cocoa doesn't matter). When you launch your app the library is loaded and executed.

This makes trouble for us as some users have installers which don't remove the old dylibs. So the new version loads the old plugin dylibs and complains about bad registration or missing entry points.

Not to forget this is an easy way to add a key logger or other malware into each app!

See also feedback cases 31153 and 2089.
Test project and library: test.zip
09 12 13 - 10:54
two comments

This is not a security hole because if you have permissions to put the dylib in the frameworks folder, you could just modify the binary itself.
Geoff Perlman (Email) (URL) - 09 12 13 - 15:38

Of course you can discuss if this is a security problem or just a design decision. But I think it would be bad if someone starts writing an app which simply injects code by adding own dylib into the folder for all Xojo made apps on a computer. Or just include the lib in the modified download/installer. While people can of course replace libs there with hacked ones, I think it’s much easier to just add a new one.
Christian Schmitz (URL) - 09 12 13 - 17:10

Remember personal info?

Emoticons / Textile

Hide email:

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.