Vulnerability in Electron could pose danger to Skype and Wordpress web apps

By
Vulnerability in Electron could pose danger to Skype and Wordpress web apps

A security vulnerability has been discovered in a software framework used web apps that could enable hackers to execute remote code. The problem could affect many web apps that use the framework.

A security vulnerability has been discovered in a software framework used web apps that could enable hackers to execute remote code. The problem could affect many web apps that use the framework.
 
According to a blog post by researchers working at Trustwave's SpiderLabs, the flaw affects Electron. This is a software framework that enables developers to create cross-platform desktop applications using HTML, CSS, and JavaScript. Some popular applications such as Skype, Wordpress, Slack, Discord, Signal, Atom, Visual Studio Code, and Github Desktop are all built using the Electron framework. Electron is an API wrapped around the Node.js server-side JavaScript server. 
 
According to Brendan Scarvell, a security consultant at Trustwave Spiderlabs, these web apps are susceptible to cross-site scripting attacks through failure to correctly sanitise user-supplied input.
 
“A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js' built in modules. This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” he said.
 
Scarvell added that Atom had an XSS vulnerability not too long ago which did exactly that. In Electron, there is a webPreferences configuration file. If the webviewTag setting is set to false in this configuration, the nodeIngration is also set to false.
 
The researcher said that hackers could set the nodeIntegration option to "true" and grant themselves access to the more powerful Node.js APIs and modules.
 
“This allowed window.open to pass the webviewTag option as an additional feature, re-enabling nodeIntegration and allowing the potential for remote code execution,” said Scarvell.
 
He showed a proof-of-concept that demonstrated how an XSS payload can re-enable nodeIntegration during run time and allow execution of system commands.  He said the proof-of-concept can “allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13,="">< 1.8.4,="" or="">< 2.0.0-beta.3)”.="" also,="" the="" develop="" needs="" also="" to="" have="" “declared="" webviewtag:="" false="" in="" its="" webpreferences;="" enabled="" the="" nativewindowoption="" option="" in="" its="" webpreferences;="" or="" “intercepting="" new-window="" events="" and="" overriding="" event.newguestwithout="" using="" the="" supplied="" options="">
 
Scarvell notified Electron about the vulnerability. Electron has provided a patch to the vulnerability here. 

This article originally appeared at scmagazineuk.com

Copyright © SC Magazine, UK edition
Tags:

Most Read Articles

Windows 10 April Update causes havok for Intel SSD users

Windows 10 April Update causes havok for Intel SSD users

Fork Parker's Crunch Out is a legit new SNES cartridge game&#8230; in 2018

Fork Parker's Crunch Out is a legit new SNES cartridge game… in 2018

Two-factor authentication hackable - easy to spoof

Two-factor authentication hackable - easy to spoof

The Nintendo Switch has been blown wide open by an unfixable hack

The Nintendo Switch has been blown wide open by an unfixable hack