Security researchers discovered a series of vulnerabilities in twenty commonly used Electron applications and gained Remote Code Execution within apps such as Discord, Teams (local file read), VSCode, Basecamp, Mattermost, Element, Notion, and others.
The researchers presented their findings on Thursday at the Black Hat cybersecurity conference in Las Vegas, detailing how they could have hacked tens of millions of users who use Discord, Microsoft Teams, and the chat app Element by exploiting the software underlying all of them: Electron.
About Electron: It is a free and open-source software framework developed and maintained by GitHub. The framework is designed to create desktop applications using web technologies which are rendered using a flavor of the Chromium browser engine, and a backend using the Node.js runtime environment.
One of the researchers named Aaditya Purani, who found these vulnerabilities reported the vulnerabilities to Electron, which earned them more than $10,000 in rewards. The bugs has been fixed before the researchers published their research.
In the case of Discord, the bug Purani and his mates found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, the exploit works if the targets clicked on these links which will lead to a full takeover of the target systems.
Purani says - “regular users should know that the Electron apps are not the same as their day-to-day browsers,” meaning they are potentially more vulnerable. “I recommend using the website itself because then you have the protection which Chromium has, which is much larger than the Electron,” - he added.
Still, Purani said that it’s a good thing to have Electron underlie so many apps because “if you have just one framework, which is running all the apps, then you can just focus on hardening that same framework.”