Electron is a popular framework for building cross-platform desktop applications using web technologies. The tool was created by GitHub, and is the basis of several popular apps like Slack, Visual Studio Code, Discord, and the Atom text editor.
And until very recently, it suffered from a vulnerability that could have allowed an adversary to execute their own arbitrary code on a victim’s computer.
The vulnerability, CVE-2018-1000136, was spotted by Trustwave’s eagle-eyed security researcher, Brendan Scarvell. It affects versions of Electron below 1.7.13, 1.8.4, or 2.0.0-beta.3. Thankfully, the Electron team has issued a fix, although it’s up to individual developers to implement it.
How it works
Some apps which don’t require access to Node have it turned off by default. But what Scarvell discovered is a way to re-activate this in a particular circumstance.
All Electron apps have a config file. Buried in this is an attribute called nodeIngration. When this is set to false, access to the Node.js API and modules are deactivated by default.
With me so far? Great, because here’s where it gets a little complicated.
There’s a separate attribute called webviewTag. This controls the behavior of WebView, which allows an Electron app to embed a separate webpage.
If webviewTag is set to false, it also deactives nodeIngration. If it hasn’t been set at all, it implicitly defaults to false, just to be on the safe side.
Scarvell essentially figured out that an attacker could exploit a cross-site scripting vulnerability (remember that Electron apps are basically web apps, and therefore are likely rife with such issues) to create a new WebView element.
Here, the attacker would be able to create their own permissions, and switch nodeIntegration to True. You can read the finer details on the vulnerability disclosure on Trustwave’s websites.
Update your stuff
Electron is everywhere. Its popularity derives from the fact that it allows developers to create native-looking applications, without having to branch from the web technologies they’re intimately familiar with.
As mentioned, it’s used in some apps you’re probably using right now: like Slack, Atom, Skype, Github Desktop, and more.
Following responsible disclosure practices, Scarvell informed the Electron team of the issue several months ago, and an update for the software was issued in March. The onus now is on individual vendors to incorporate this patch into their app.
Users should be vigilant too. If you use an Electron-based app, make sure that you’re running the latest version — or better yet, have auto-updates enabled, where available.
The Next Web’s 2018 conference is just a few days away, and it’ll be 💥💥. Find out all about our tracks here.