Open source development framework Electron of GitHub is pretentious by a flaw that can let distant code openly previous week by the researcher who revealed the concern.

Electron permits developers to generate cross-platform desktop applications employing HTML, CSS and JavaScript. The structure has been practiced in the development of hundreds of applications, containing Skype, GitHub Desktop, Slack, WhatsApp, Signal, Discord and WordPress.com.

Brendan Scarvell, the researcher at Trustwave, had exposed previously the current year that confident applications generated with Electron may let distant code implementation if they are pretentious by cross-website scripting flaws and constructed in a precise way.

“Electron applications are essentially web apps, which means they’re susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules. This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” the researcher explained in a blog post. “You can remove access to Node.js by passing nodeIntegration: false into your application’s webPreferences.”

Scarvell even discovered that if an application is pretentious by an XSS vulnerability and confident selections have not been physically set in the web preferences of the app, a cyberpunk can re-permit node-Integration all through the runtime and accomplish system commands.

Electron developers had chased the flaw, chased as a CVE-2018-1000136, which was fixed in March with the announcement of versions 1.7.13, 1.8.4, and 2.0.0-beta.4. The security flaw can also be alleviated by accumulation a portion of code delivered by Electron. It has been reported that this vulnerability had not obstructed the signal messaging app and the Brave web browser.

Leave a Reply

Your email address will not be published. Required fields are marked *