Electron is a popular framework for building cross-platform desktop applications using web technologies. The tool was created by GitHub, and is the basis of several popular apps like Slack, Visual Studio Code, Discord, and the Atom text editor.
And until very recently, it suffered from a vulnerability that could have allowed an adversary to execute their own arbitrary code on a victim’s computer.
The vulnerability, CVE-2018-1000136, was spotted by Trustwave’s eagle-eyed security researcher, Brendan Scarvell. It affects versions of Electron below 1.7.13, 1.8.4, or 2.0.0-beta.3. Thankfully, the Electron team has issued a fix, although it’s up to individual developers to implement it.
How it works
Electron apps are built with HTML, CSS, and JavaScript. If the developer requires, they can also integrate their app with Node.js, which lets the app access lower-level parts of the system. With Node, for example, the app could execute its own shell commands.
Some apps which don’t require access to Node have it turned off by default. But what Scarvell discovered is a way to re-activate this in a particular circumstance.
All Electron apps have a config file. Buried in this is an attribute called nodeIngration. When this is set to false, access to the Node.js API and modules are deactivated by default.
With me so far? Great, because here’s where it gets a little complicated.
There’s a separate attribute called webviewTag. This controls the behavior of WebView, which allows an Electron app to embed a separate webpage.
If webviewTag is set to false, it also deactives nodeIngration. If it hasn’t been set at all, it implicitly defaults to false, just to be on the safe side.
Scarvell essentially figured out that an attacker could exploit a cross-site scripting vulnerability (remember that Electron apps are basically web apps, and therefore are likely rife with such issues) to create a new WebView element.
here's a recent example of XSS -> system RCE in Electron: https://t.co/XhBgn10nKR
Electron has a flag that basically says "allow content to run system commands via Node" and it was possible for a context with that flag disabled to open a new context that had it enabled
— yan (@bcrypt) May 12, 2018
Here, the attacker would be able to create their own permissions, and switch nodeIntegration to True. You can read the finer details on the vulnerability disclosure on Trustwave’s websites.
Update your stuff
Electron is everywhere. Its popularity derives from the fact that it allows developers to create native-looking applications, without having to branch from the web technologies they’re intimately familiar with.
As mentioned, it’s used in some apps you’re probably using right now: like Slack, Atom, Skype, Github Desktop, and more.
The one bug to bring them all down – CVE-2018-1000136 (including, but not limited to: Signal Desktop, Slack, Discord, Atom, Visual Studio Code, Github Desktop) https://t.co/dPDkecJzFm #electron #vulnerability
— x0rz (@x0rz) May 12, 2018
Following responsible disclosure practices, Scarvell informed the Electron team of the issue several months ago, and an update for the software was issued in March. The onus now is on individual vendors to incorporate this patch into their app.
Users should be vigilant too. If you use an Electron-based app, make sure that you’re running the latest version — or better yet, have auto-updates enabled, where available.
The Next Web’s 2018 conference is just a few days away, and it’ll be ??. Find out all about our tracks here.
Get the TNW newsletter
Get the most important tech news in your inbox each week.