ISSCloud - Information Systems Solutions


Security Flaw discovered on Electron-Based Apps


Security Flaw discovered on Electron-Based Apps

Electron (formerly Atom Shell) is an open-source framework developed and maintained by GitHub. Electron allows building cross-platform desktop applications with web technologies such as HTML, CSS and JavaScript, by combining the Chromium rendering engine and Node.js into a single runtime.

Electron is widely used, with Apps built on top of it including Microsoft Visual Studio Code and Skype, GitHub’s code editor Atom, also Brackets, and several other official desktop apps like Slack, Discord, Basecamp, and many more.

The issue was reported by Tustwave researcher Brendan Scarvell, who identified the that vulnerability affected all current versions of Electron at the time (< 1.7.13, < 1.8.4, and < 2.0.0-beta.3). Scarvell says the vulnerability allows nodeIntegration to be re-enabled, leading to potential remote code execution.

“There’s also a WebView tag feature which allows you to embed content, such as web pages, into your Electron application and run it as a separate process. When using a WebView tag you are also able to pass in a number of attributes, including nodeIntegration. WebView containers do not have nodeIntegration enabled by default. The documentation states that if the webviewTag option is not explicitly declared in your webPreferences, it will inherit the same permissions of whatever the value of nodeIntegration is set to.”

Brendan Scarvell proceeds detailing the issue with his proof-of-concept code in his blog post. If you want to get all the technicals, follow this link.

This vulnerability was assigned the CVE identifier CVE-2018-1000136 and Scarvell ends by thanking the Electron team for their quick response and action, quickly providing a patch to the public.

Picture of Ricardo Mendes

Ricardo Mendes

Ricardo is a Senior Systems Administrator and Consultant at ISSCloud, after +10 years working in Private Telecom. He enjoys writing about Technology, Security & Privacy.

Leave a Reply

Your email address will not be published. Required fields are marked *