Vulnerability of remote code execution in Electron, framework used by WhatsApp, Skype, Slack or WordPress

Electron, a framework created by GitHub and used for the creation of cross-platform desktop applications such as WhatsApp, Skype, Slack, WordPress, Visual Studio Code, Discord, Atom and many other services, suffered until recently a vulnerability that allowed the remote execution of malicious code on a victim’s computer.

The vulnerability, with identifier CVE-2018-1000136 , was discovered by security researcher Brendan Scarvell, of Trustwave, and was in Electron versions prior to 1.7.13, 1.8.4 and 2.0.0-beta.3. And, by extension, in the many services that have used them for their desktop versions.

Electron lets you create native-looking desktop applications using web technologies

The problem seems to have been solved in versions 1.7.13, 1.8.4 and 2.0.0-beta.4, although it is up to the developers to implement the fixes in the applications with which they have used the GitHub tool. Until this implementation does not take place, there can be vulnerable desktop programs built with Electron.

How the vulnerability worked

Desktop applications that are built using Electron employ HTML, CSS and JavaScript. Additionally, whenever the developer so requires, Node.js can enter into the game so that the application can thus access the lower level parts of the system, even being able to execute its own shell commands .

What the Trustwave researcher discovered is that this access, deactivated by default, could be reactivated under certain circumstances thanks to a configuration file that all Electron applications have.

Scarvell detected that an attacker could exploit a cross-site scripting vulnerability (because as we said, desktop applications created with Electron are essentially web applications) to create a new WebView element by creating its own permissions . With certain changes they would achieve remote execution of the code.

The problem was patched in March 2018 with the release of the aforementioned versions 1.7.13, 1.8.4 and 2.0.0-beta.4, so developers should have updated to make their applications immune or, at least, ensure that they are not affected by this vulnerability.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *