Exploit puts popular web and mobile apps at risk

A new exploit could allow users to bypass security checks in Electron, a popular cross-platform development framework. The exploit, posted by Trustwave, has been patched and developers should update their apps as soon as possible.

The exploit could allow cross site scripting in some apps by turning on nodeIntegration, a method that allows the app to not only connect to its own modules but also Node.js modules.

From the announcement:

Electron applications are essentially web apps, which means they’re susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules. This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side. Atom had an XSS vulnerability not too long ago which did exactly that. You can remove access to Node.js by passing nodeIntegration: false into your application’s webPreferences.

Many popular apps use Electron including Discord, Signal, Visual Studio Code, and Github. Slack also uses Electron for its apps.

The exploit depends on the nodeIntegration setting and the process of opening a new window. While in most cases nodeIntegration is set to false, in some cases you can set nodeIntegration to true and then pass other nefarious scripts including calling the child_process module which lets you make system calls like spawn which then lets you run commands in the operating system.

You can see Electron’s website here and here is their blog post on the update. Most apps shouldn’t be effected as long as you’ve upgraded the platform in the last few weeks.