Update Electron Immediately: Security flaw in popular Web Applications

Popular Web Applications

Electron vulnerability

The popular web application framework, Electron, suffered from a vulnerability that potentially allows hackers to execute malicious code on victim computers. Its effect on popular Web Applications.

Cyber security firm Trustwave’s SpiderLabs expose this flaw. According to the firm, the flaw CVE-2018-1000136 affects Electron. While, Electron is a software framework implemented by Github to create cross-platform web applications using HTML, CSS, and JavaScript.

Popular web applications such as Skype, WordPress, Slack, WhatsApp, Signal, Atom, Visual Studio Code are all built using the Electron framework. The framework, an API wrapped around the Node.js server-side JavaScript server.

Popular Web Applications
Source: flickr

Node.js is a strong framework for server-side applications, approaching its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.

illegal Node.js APIs

To prevent illegal Node.js APIs, Electron framework by default sets the value of ‘webviewTag: false’ in its webPreferences configuration file, which then sets nodeIngration to false. This configuration file introduced in the framework to prevent real-time modifications by malicious functions, like XSS (cross-site scripting).

While, if an app developer forgot to declare the tag in the configuration file, then the framework considers the value of “nodeIntegration” as false, to take a preventive measure.

Cyber security researcher, Brendan Scarvell showed a proof to exhibit how an attacker can inject into targeted applications running without “webviewTag” declared, by exploiting an XSS flaw. The exploits re-enables “nodeIntegration” in runtime, enabling hackers to increase unapproved control over the application server and execute subjective framework commands.

While, the vulnerability discovered earlier this year and affected all Electron versions. However, Electron developers fixed the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta. 4. So, app developers should ensure their applications fixed or not. Some popular techgiant’s are alert after this effect.