Vulnerability of remote code execution in Electron, framework used by WhatsApp, Skype, Slack or WordPress
Electron, a framework created by GitHub and used for the creation of cross-platform desktop applications such as WhatsApp, Skype, Slack, WordPress, Visual Studio Code, Discord, Atom and many other services, suffered until recently a vulnerability that allowed the remote execution of malicious code on a victim’s computer.
The vulnerability, with identifier CVE-2018-1000136 , was discovered by security researcher Brendan Scarvell, of Trustwave, and was in Electron versions prior to 1.7.13, 1.8.4 and 2.0.0-beta.3. And, by extension, in the many services that have used them for their desktop versions.
The problem seems to have been solved in versions 1.7.13, 1.8.4 and 2.0.0-beta.4, although it is up to the developers to implement the fixes in the applications with which they have used the GitHub tool. Until this implementation does not take place, there can be vulnerable desktop programs built with Electron.
How the vulnerability worked
What the Trustwave researcher discovered is that this access, deactivated by default, could be reactivated under certain circumstances thanks to a configuration file that all Electron applications have.
Scarvell detected that an attacker could exploit a cross-site scripting vulnerability (because as we said, desktop applications created with Electron are essentially web applications) to create a new WebView element by creating its own permissions . With certain changes they would achieve remote execution of the code.
The problem was patched in March 2018 with the release of the aforementioned versions 1.7.13, 1.8.4 and 2.0.0-beta.4, so developers should have updated to make their applications immune or, at least, ensure that they are not affected by this vulnerability.