A few months ago, Zoom caught a lot of attention for running a local webserver in the background after installing their desktop app. They did this to avoid the "Do you want to open this link in Zoom" prompt that appears in most web browsers.
Figma's desktop app does the same thing. When opening a link to a Figma document, the webapp will make a call to https://figmadaemon.com:44960/figma/desktop/can-open-url
with userID
and url
parameters.
If it determines that it can in fact open the url, then the webapp will make a call to https://figmadaemon.com:44960/figma/desktop/open-url
with the same parameters.
After some quick investigation, it turns out this figmadaemon.com
resolves to 127.0.0.1
.
# ignoring dig's comments and empty lines
$ dig figmadaemon.com | grep -v ';' | grep '\S'
figmadaemon.com. 21560 IN A 127.0.0.1
I haven't explored an attack vector using this, but I would have preferred Figma disclose clearly that they are running a local web server and would provided an option to disable it.