INSUBCONTINENT EXCLUSIVE:
A new exploit could allow users to bypass security checks in Electron, a popular cross-platform development framework
The exploit, posted by Trustwave, has been patched and developers should update their apps as soon as possible.
The exploit could allow
cross site scripting in some apps by turning on nodeIntegration, a method that allows the app to not only connect to its own modules but
also Node.js modules.
From the announcement:
Electron applications are essentially web apps, which means they&re susceptible to cross-site
scripting attacks through failure to correctly sanitize user-supplied input
A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js& built in modules
This makes XSS particularly dangerous, as an attacker payload can allow do some nasty things such as require in the child_process module and
execute system commands on the client-side
Atom had an XSS vulnerability not too long ago which did exactly that
You can remove access to Node.js by passing nodeIntegration: false into your application webPreferences.
Many popular apps use Electron
including Discord, Signal, Visual Studio Code, and Github
Slack also uses Electron for its apps.
The exploit depends on the nodeIntegration setting and the process of opening a new window
While in most cases nodeIntegration is set to false, in some cases you can set nodeIntegration to true and then pass other nefarious scripts
including calling the child_process module which lets you make system calls like spawn which then lets you run commands in the operating
system.
You can see Electron website here and here is their blog post on the update
Most apps shouldn&t be effected as long as you&ve upgraded the platform in the last few weeks.
