Skip to content

Instantly share code, notes, and snippets.

@Willamin
Created May 1, 2020 15:23
Show Gist options
  • Save Willamin/dedc1de2d1d5d4e8db4e49b25007a34c to your computer and use it in GitHub Desktop.
Save Willamin/dedc1de2d1d5d4e8db4e49b25007a34c to your computer and use it in GitHub Desktop.

Figma Local Server

A few months ago, Zoom caught a lot of attention for running a local webserver in the background after installing their desktop app. They did this to avoid the "Do you want to open this link in Zoom" prompt that appears in most web browsers.

Figma's desktop app does the same thing. When opening a link to a Figma document, the webapp will make a call to https://figmadaemon.com:44960/figma/desktop/can-open-url with userID and url parameters. If it determines that it can in fact open the url, then the webapp will make a call to https://figmadaemon.com:44960/figma/desktop/open-url with the same parameters.

After some quick investigation, it turns out this figmadaemon.com resolves to 127.0.0.1.

# ignoring dig's comments and empty lines
$ dig figmadaemon.com | grep -v ';' | grep '\S'
figmadaemon.com.	21560	IN	A	127.0.0.1

I haven't explored an attack vector using this, but I would have preferred Figma disclose clearly that they are running a local web server and would provided an option to disable it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment