This article was published on May 14, 2018

Cross-platform Electron apps may be vulnerable to attack; update yours now

Update your apps!


Cross-platform Electron apps may be vulnerable to attack; update yours now

Electron is a popular framework for building cross-platform desktop applications using web technologies. The tool was created by GitHub, and is the basis of several popular apps like Slack, Visual Studio Code, Discord, and the Atom text editor.

And until very recently, it suffered from a vulnerability that could have allowed an adversary to execute their own arbitrary code on a victim’s computer.

The vulnerability, CVE-2018-1000136, was spotted by Trustwave’s eagle-eyed security researcher, Brendan Scarvell. It affects versions of Electron below 1.7.13, 1.8.4, or 2.0.0-beta.3. Thankfully, the Electron team has issued a fix, although it’s up to individual developers to implement it.

How it works

Electron apps are built with HTML, CSS, and JavaScript. If the developer requires, they can also integrate their app with Node.js, which lets the app access lower-level parts of the system. With Node, for example, the app could execute its own shell commands.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Some apps which don’t require access to Node have it turned off by default. But what Scarvell discovered is a way to re-activate this in a particular circumstance.

All Electron apps have a config file. Buried in this is an attribute called nodeIngration. When this is set to false, access to the Node.js API and modules are deactivated by default.

With me so far? Great, because here’s where it gets a little complicated.

There’s a separate attribute called webviewTag. This controls the behavior of WebView, which allows an Electron app to embed a separate webpage.

If webviewTag is set to false, it also deactives nodeIngration. If it hasn’t been set at all, it implicitly defaults to false, just to be on the safe side.

Scarvell essentially figured out that an attacker could exploit a cross-site scripting vulnerability (remember that Electron apps are basically web apps, and therefore are likely rife with such issues) to create a new WebView element.

Here, the attacker would be able to create their own permissions, and switch nodeIntegration to True. You can read the finer details on the vulnerability disclosure on Trustwave’s websites.

Update your stuff

Electron is everywhere. Its popularity derives from the fact that it allows developers to create native-looking applications, without having to branch from the web technologies they’re intimately familiar with.

As mentioned, it’s used in some apps you’re probably using right now: like Slack, Atom, Skype, Github Desktop, and more.

Following responsible disclosure practices, Scarvell informed the Electron team of the issue several months ago, and an update for the software was issued in March. The onus now is on individual vendors to incorporate this patch into their app.

Users should be vigilant too. If you use an Electron-based app, make sure that you’re running the latest version — or better yet, have auto-updates enabled, where available.

The Next Web’s 2018 conference is just a few days away, and it’ll be ??. Find out all about our tracks here.

Get the TNW newsletter

Get the most important tech news in your inbox each week.