The popular web application framework, Electron, suffered from a vulnerability that potentially allows hackers to execute malicious code on victim computers. Its effect on popular Web Applications.
Node.js is a strong framework for server-side applications, approaching its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.
illegal Node.js APIs
To prevent illegal Node.js APIs, Electron framework by default sets the value of ‘webviewTag: false’ in its webPreferences configuration file, which then sets nodeIngration to false. This configuration file introduced in the framework to prevent real-time modifications by malicious functions, like XSS (cross-site scripting).
While, if an app developer forgot to declare the tag in the configuration file, then the framework considers the value of “nodeIntegration” as false, to take a preventive measure.
Cyber security researcher, Brendan Scarvell showed a proof to exhibit how an attacker can inject into targeted applications running without “webviewTag” declared, by exploiting an XSS flaw. The exploits re-enables “nodeIntegration” in runtime, enabling hackers to increase unapproved control over the application server and execute subjective framework commands.
While, the vulnerability discovered earlier this year and affected all Electron versions. However, Electron developers fixed the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta. 4. So, app developers should ensure their applications fixed or not. Some popular techgiant’s are alert after this effect.