Risk ID: RISK-002 / VULN-002
Severity: HIGH (CVSS 7.5)
Component: DBus Service
Attack Vector: Local
Privileges Required: Low
Impact: Unauthorized Operations
Description
The DBus API does not implement explicit authentication. Any process in the same user session can call any method, including sensitive operations like deleting sync configuration or forcing re-authentication.
Vulnerable Endpoints
<interface name="com.strangedaystech.LNXDrive.Manager">
<!-- No auth required -->
<method name="RemoveAccount">
<arg type="s" name="namespace"/>
</method>
<method name="ResetSync"/>
<method name="ClearCache"/>
</interface>
Attack Scenario
# Malicious script removes all accounts
dbus-send --session --dest=com.strangedaystech.LNXDrive \
/org/strangedaystech/LNXDrive/Manager \
com.strangedaystech.LNXDrive.Manager.ResetSync
Impact
- Account configuration deletion
- Forced re-authentication
- Data loss from cache clearing
- Denial of service
Remediation (Short-term P0)
- Implement PolicyKit integration for sensitive operations
- Require user confirmation for destructive operations
- Add caller identification logging
Simulation Scenario
SIM-L1-002
Source
Imported from .straymark/02-design/risk-analysis/RISK-002-security-vulns.md on 2026-05-29.
Risk ID: RISK-002 / VULN-002
Severity: HIGH (CVSS 7.5)
Component: DBus Service
Attack Vector: Local
Privileges Required: Low
Impact: Unauthorized Operations
Description
The DBus API does not implement explicit authentication. Any process in the same user session can call any method, including sensitive operations like deleting sync configuration or forcing re-authentication.
Vulnerable Endpoints
Attack Scenario
# Malicious script removes all accounts dbus-send --session --dest=com.strangedaystech.LNXDrive \ /org/strangedaystech/LNXDrive/Manager \ com.strangedaystech.LNXDrive.Manager.ResetSyncImpact
Remediation (Short-term P0)
Simulation Scenario
SIM-L1-002
Source
Imported from
.straymark/02-design/risk-analysis/RISK-002-security-vulns.mdon 2026-05-29.