Electron is widely used, with Apps built on top of it including Microsoft Visual Studio Code and Skype, GitHub’s code editor Atom, also Brackets, and several other official desktop apps like Slack, Discord, Basecamp, WordPress.com and many more.
The issue was reported by Tustwave researcher Brendan Scarvell, who identified the that vulnerability affected all current versions of Electron at the time (<
1.8.4, and <
2.0.0-beta.3). Scarvell says the vulnerability allows
nodeIntegration to be re-enabled, leading to potential remote code execution.
“There’s also a WebView tag feature which allows you to embed content, such as web pages, into your Electron application and run it as a separate process. When using a WebView tag you are also able to pass in a number of attributes, including
nodeIntegration. WebView containers do not have
nodeIntegrationenabled by default. The documentation states that if the
webviewTagoption is not explicitly declared in your
webPreferences, it will inherit the same permissions of whatever the value of
nodeIntegrationis set to.”
Brendan Scarvell proceeds detailing the issue with his proof-of-concept code in his blog post. If you want to get all the technicals, follow this link.
This vulnerability was assigned the CVE identifier CVE-2018-1000136 and Scarvell ends by thanking the Electron team for their quick response and action, quickly providing a patch to the public.