Malwarebytes flags riskware sites as soon as project runs

[atemyshorts]

[atemyshorts]

So this is not to poop on the creator, but I hope this helps anyone looking to secure this a bit better.

I ran a security audit on the code using AI - results below:

Security Audit Report: ShadowBroker OSINT Dashboard

Date: 2026-03-15
Status: Initial Audit Complete
Critical Findings: 1 | High: 2 | Medium: 2 | Low: 1

---

Executive Summary

The security audit of the ShadowBroker project confirms that while the tool is designed for legitimate OSINT purposes, it contains several structural weaknesses and powerful features that are being correctly flagged as "Riskware" by security software (Malwarebytes). The most significant risk is the unprotected state of administrative endpoints by default, which allows arbitrary remote code execution (RCE) via the built-in self-updater.

---

Detailed Findings

[CRITICAL] Unprotected Administrative Control

• Location: backend/main.py (require_admin dependency)
• Description: The administrative check returns None (allowing access) if no ADMIN_KEY is configured in the environment. This is the default state after cloning.
• Impact: Anyone with network access to the API can modify settings, download malicious updates, or leak existing API keys.

[HIGH] Remote Code Execution (RCE) via Self-Updater

• Location: backend/services/updater.py
• Description: The application can download, extract, and replace its own source code from a GitHub release ZIP.
• Impact: Combined with the unprotected admin access, this allows an attacker to fully compromise the host by shipping a malicious update. This feature is also the primary reason for "Riskware" flags.

[HIGH] Riskware Behavior (Network Evasion)

• Location: backend/services/network_utils.py
• Description: The app attempts to bypass network blocks by falling back to curl via subprocess if Python requests fails.
• Impact: This behavioral pattern (command execution + networking) is highly suspicious to EDR tools.

[MEDIUM] Server-Side Request Forgery (SSRF)

• Location: backend/services/radio_intercept.py, backend/services/geopolitics.py
• Description: User-provided inputs (like system names) or data from external news feeds are used to construct outbound HTTP requests.
• Impact: An attacker could potentially probe internal network services or cause the server to connect to malicious domains (as seen with the GDELT "Riskware" detections).

---

Remediation Roadmap

Priority	Strategy	Action
P0	Access Control	Enforce a mandatory ADMIN_KEY. Prevent startup if it is missing or too weak.
P1	Capability Scrubbing	Completely remove updater.py and the curl fallback in network_utils.py.
P2	Data Sanitization	Disable GDELT title enrichment. Implement strict URL validation in fetchers.
P3	Hardening	Restrict CORS origins to localhost by default.

---

Conclusion

The project is safe to use only if these powerful administrative and networking capabilities are scrubbed or strictly locked down. The "Riskware" detections are accurate reflections of the potential for abuse in the current implementation.

[BigBodyCobain]

Will definitely work on fixing those on the next update. The bypasses were used to ensure I got the GDELT data (Global incidents). I will explore another method to work with. Now the Administrator control and RCE are concerning. I was merely trying to allow users to get the new version when they click the update button. It wasn't meant to be malicious. I'll correct that. The screenshot you cited is one of the sources I use on my RSS feed.

Thank you for keeping me accountable. As this project grows, I'm finding I have to be even more vigilant to ensure everything is as safe as possible for users.

[atemyshorts]

Thanks! I run the same audits on my code too. And I always find something! Best we all try to keep things as secure as possible. Thanks for the great project!