Electron is an opened upwards source app evolution framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio Code, together with Discord.
Besides its ain modules, Electron framework likewise allows developers to practise hybrid desktop applications past times integrating Chromium together with Node.js framework through APIs.
Since Node.js is a robust framework for server-side applications, having access to its APIs indirectly gives Electron-based apps to a greater extent than command over the operating arrangement installed on the server.
To foreclose unauthorised or unnecessary access to Node.js APIs, Electron framework past times default sets the value of "webviewTag" to false inwards its "webPreferences" configuration file, which together with hence sets "nodeIngration" to false.
This configuration file amongst the hardcoded values of or hence parameters was introduced inwards the framework to foreclose real-time modifications past times malicious functions, i.e., past times exploiting a safety vulnerability similar cross-site scripting (XSS).
Moreover, if an app developer skips or forgets to declare "webviewTag: false" inwards the configuration file, fifty-fifty together with hence the framework past times default considers the value of "nodeIntegration" every bit false, to accept a preventive measure.
The exploit re-enables "nodeIntegration" inwards runtime, allowing attackers to make unauthorised command over the application server together with execute arbitrary arrangement commands.
It should travel noted that the exploit would non piece of job if the developer has likewise opted for i of the next options:
- nativeWindowOption pick enabled inwards its webPreferences.
- Intercepting new-window events together with overriding event.newGuest without using the supplied options tag.
The vulnerability, tracked every bit CVE-2018-1000136, was reported to the Electron squad past times Scarvell before this twelvemonth together with affected all versions of Electron at the fourth dimension of discovery.
Electron developers patched the vulnerability inwards March 2018 amongst the unloosen of versions 1.7.13, 1.8.4, together with 2.0.0-beta.4.
So, app developers should ensure their applications are patched, or at to the lowest degree non vulnerable to this issue.
For to a greater extent than technical details on the Electron vulnerability together with PoC exploit code, you lot tin caput on to the Trustwave's blog post.
It should likewise travel noted that the Electron põrnikas has nix to practise amongst the of late discovered flaw inwards Signal app, which has likewise of late patched a critical cross-site scripting vulnerability that leads to remote code execution, whose amount technical details are scheduled to travel published solely on The Hacker News this evening. Stay Tuned!
