Markdown has become increasingly popular among developers and hackers for note-taking and documentation, thanks to its simplicity and ease of use. However, the rise of these note-taking apps has also raised concerns about their security. In our recent research, we investigated several widely used markdown editors built on Electron and identified several security issues that could lead to local file disclosure or remote code execution (RCE). In this talk, we will provide an in-depth analysis of the vulnerabilities we found and discuss the potential risks associated with converting Markdown to HTML and vice versa. We will examine the security measures implemented by the developers and explore possible ways attackers can exploit the language features of markdown to hide their exploits. We will also highlight the risks associated with copying and pasting content into these markdown editors. We believe that our findings and insights will be valuable for both hackers and developers.
Li Jiantao is a security researcher at STAR Labs (@starlabs_sg). His research focuses on application security and browser-related web security. He has been a challenge creator for RealWorld CTF and XCTF Finals for years. Jiantao is currently an active member of r3kapig CTF team.