A few months ago, Zoom caught a lot of attention for running a local webserver in the background after installing their desktop app. They did this to avoid the "Do you want to open this link in Zoom" prompt that appears in most web browsers.
Figma's desktop app does the same thing. When opening a link to a
Figma document, the webapp will make a call to
https://figmadaemon.com:44960/figma/desktop/can-open-url
with userID and url parameters. If it
determines that it can in fact open the url, then the webapp will make a
call to
https://figmadaemon.com:44960/figma/desktop/open-url with
the same parameters.
After some quick investigation, it turns out this
figmadaemon.com resolves to 127.0.0.1.
$ dig +noall +answer figmadaemon.com
figmadaemon.com. 21599 IN A 127.0.0.1I haven't explored an attack vector using this but will be looking into it. I did quickly check that a definitely-not-figma url would open the application. In this case:
/can-open-url returns
{ "canOpen": false }/open-url returns { "opened": false }I firmly believe that all applications that run local web servers like this should: