Apps based on Electron framework are vulnerable to attack
The Electron framework -- the basis of popular apps including Skype, Slack, Signal and WordPress -- has been found to contain a security flaw that leaves it vulnerable to attack.
The GitHub-created tool has a vulnerability that allows hackers to execute arbitrary code on remote systems. CVE-2018-1000136 affects Electron 1.7.13 and older as well as Electron 1.8.4 and 2.0.0-beta.3, and the problem exists because of the interaction between Electron and Node.js.
- Google will require OEMs to provide regular Android security updates
- Amazon now offers a smart home security installation service
- Google's Project Zero reveals security flaw in Windows 10 S after Microsoft fails to fix it
The number of applications that are based on the Electron framework means that, potentially, there is a very large number of people affected by the vulnerability. Electron is incredibly popular because of the fact it makes it easy to port HTML, CSS and JS web apps into desktop apps.
Security researcher Brendan Scarvell found the nodeIntegration attribute that can be applied in Electron configuration, in combination with the webviewTag attribute, allows for a potential cross-site scripting exploit.
Technical details for my nodeIntegration bypass for Electron.js (CVE-2018-1000136) is up - https://t.co/Vnm9rAWp4g
— Brendan Scarvell (@menztrual) May 12, 2018
A few weeks ago, I came across a vulnerability that affected all current versions of Electron at the time (< 1.7.13, < 1.8.4, and < 2.0.0-beta.3). The vulnerability allowed nodeIntegration to be re-enabled, leading to the potential for remote code execution.
He goes on to say:
Electron applications are essentially web apps, which means they're susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js' built in modules. This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side. Atom had an XSS vulnerability not too long ago which did exactly that. You can remove access to Node.js by passing nodeIntegration: false into your application's webPreferences.
A patch is available via electronjs.org/blog/webview-fix.