Skype
Skype

A security vulnerability has been discovered in a software framework used web apps that could enable hackers to execute remote code. The problem could affect many web apps that use the framework.

According to a blog post by researchers working at Trustwave's SpiderLabs, the flaw affects Electron. This is a software framework that enables developers to create cross-platform desktop applications using HTML, CSS, and JavaScript. Some popular applications such as Skype, Wordpress, Slack, Discord, Signal, Atom, Visual Studio Code, and Github Desktop are all built using the Electron framework. Electron is an API wrapped around the Node.js server-side JavaScript server. 

According to Brendan Scarvell, a security consultant at Trustwave Spiderlabs, these web apps are susceptible to cross-site scripting attacks through failure to correctly sanitise user-supplied input.

“A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js' built in modules. This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” he said.

Scarvell added that Atom had an XSS vulnerability not too long ago which did exactly that. In Electron, there is a webPreferences configuration file. If the webviewTag setting is set to false in this configuration, the nodeIngration is also set to false.

The researcher said that hackers could set the nodeIntegration option to "true" and grant themselves access to the more powerful Node.js APIs and modules.

“This allowed window.open to pass the webviewTag option as an additional feature, re-enabling nodeIntegration and allowing the potential for remote code execution,” said Scarvell.

He showed a proof-of-concept that demonstrated how an XSS payload can re-enable nodeIntegration during run time and allow execution of system commands.  He said the proof-of-concept can “allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3)”. Also, the develop needs also to have “declared webviewTag: false in its webPreferences; enabled the nativeWindowOption option in its webPreferences; or “Intercepting new-window events and overriding event.newGuestwithout using the supplied options tag”.

Scarvell notified Electron about the vulnerability. Electron has provided a patch to the vulnerability here. 

Blueliv's Head of Threat Intelligence, Jose Miguel Esparza, told SC Media UK that since this is a client-side attack, the key to protecting users' systems is to apply the latest third-party application patches and updates. 

“With regards to this particular remote code execution vulnerability, it is worth considering solutions using a whitelist of processes authorised to execute commands and launch processes in the machine, and using those applications in isolated environments (sandboxes, virtual machines) to remain protected and mitigate any potential impact,” he said.

He added that in a situation where the vulnerability can be exploited, an attacker might execute remote code in the victim's computer, such as permissions to execute system commands. “It is a serious vulnerability but according to Electron's announcement in March, not many applications appeared to be vulnerable to this security problem because several conditions must occur simultaneously to allow exploitation,” added Esparga.

Jon Topper, CTO of DevOps consultancy The Scale Factory, told SC Media UK that the onus will be on Slack to update the version of Electron they're using and push a new version. “As always, mitigating such attacks comes down to keeping on top of updates and regular patching."