A security flaw in Electron, an extremely popular web application framework, leaves vulnerable targets open to remote code execution attacks.
Electron underlies widely used desktop apps like Skype and Slack. This is the second critical remote code execution vulnerability of the year for Electron, after a Microsoft Windows app bug was publicly unveiled in January.
This latest flaw was discovered by Trustwave researcher Brendan Scarvell. Electron has already issued a patch addressing the flaw, but it’s up to developers to implement it. Versions below 1.7.13, 1.8.4 and 2.0.0-beta.3 are vulnerable.
Apps using those versions are vulnerable to cross-site scripting (XSS) attacks due to a failure to sanitize user input. Due to some specifics within Electron — explained in great detail here by Scarvell — it’s a relatively small jump to escalate that to remote code execution, which could then lead to full ownership of a machine.
“A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules. This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” Scarvell said.
It’s not yet clear which specific apps are vulnerable. Signal, which builds its desktop app upon Electron, indicated that their app is not vulnerable to this flaw.
We’ve emailed Electron, the researchers and several developers to get a better idea of which apps were and are vulnerable, as well as how a user might be able to tell. We will update the story if and when we receive a response.
For both developers and users, the key is to download and install the security patches as quickly as possible.
here's a recent example of XSS -> system RCE in Electron: https://t.co/XhBgn10nKR
Electron has a flag that basically says "allow content to run system commands via Node" and it was possible for a context with that flag disabled to open a new context that had it enabled
— yan (@bcrypt) May 12, 2018
Developers who might be unable to upgrade can mitigate the threat by following Electron’s instructions here.