Security Flaw Impacts Electron-Based Apps

Researchers at Trustwave discovered a vulnerability that exists in the Electron software framework used in desktop applications for Microsoft Skype and Visual Studio Code, Slack, Brave browser, Signal, Twitch, and many more. Successful exploitation of CVE-2018-1000136 could allow a threat actor to perform remote code execution on vulnerable versions of Electron. The vulnerability takes advantage of the nodeIntegration option found within the WebPreferences configuration file of Electron-based apps. By exploiting a cross-site scripting (XSS) vulnerability, a threat actor could create a new WebView window in the Electron-based app and, by setting the NodeIntegration flag equal to “true,” gain access to operating system features. The flaw was reported to the Electron team and patches were released for vulnerable versions of the framework, versions prior to 1.7.13, 1.8.4, or 2.0.0-beta.3. The NJCCIC recommends all users of Electron-based apps review the Trustwave blogfor more information and apply the necessary updates for vulnerable applications as soon as possible.