Security Flaw Impacts Electron-Based Apps

Security researchers have found a security flaw in Electron, a software framework that has been used in the past half-decade for building a wealth of popular desktop applications.

Apps built on top of Electron include Microsoft's Skype and Visual Studio Code, GitHub's Atom code editor, the Brave browser, along with official desktop apps for services like Signal, Twitch, Discord, Basecamp, Slack, Ghost, WordPress.com, and many more.

The framework has become very popular among today's software development community because it allows developers to easily port web-based apps coded in HTML, JS, and CSS to run on the desktop. The software framework is a custom API wrapped around the Node.js server-side JavaScript server.

Electron and its dangerous Node.js APIs and modules

When building Electron-based apps, developers have the options of using a limited environment by using mostly the Electron API, but they can also tap into the Node.js APIs and its modules.

Because the Node.js project is a more mature project, Node's APIs and built-in modules provide a deeper integration with the underlying OS and allow the developer and the app access to more OS features.

The Electron team was aware of this problem and created a mechanism that prevents attacks on Electron-based apps from tapping into these APIs to harm the underlying OS.

For apps that just want to run HTML and JS code on the desktop, the "nodeIntegration: false" option is turned on by default, meaning access to the Node.js APIs and modules is disabled by default.

Embedding these pure web-based apps inside an Electron app is done via a component named WebView.

Escalating from XSS to RCE

All Electron-based apps work on a webPreferences config file. If the webviewTag is set to false in this config, then nodeIngration is also set to false. If developers have not declared webviewTag at all, than the app considers nodeIntegration is still set to false.

This is where the problem lies, according to Trustwave researcher Brendan Scarvell, who discovered a mechanism that malicious actors could use to turn the nodeIntegration option to "true" and grant themselves access to the more powerful Node.js APIs and modules.

Scarvell says that if the developers of an Electron-based app have not specifically declared the "webviewTag: false" option inside an app's webPreferences config file, an attacker can use any mundane cross-site scripting (XSS) vulnerability inside an Electron app to create a new WebView component window where they control the settings, and could set the nodeIngration flag to "true."

Remind you, Electron-based apps are packaged HTML and JS code, meaning finding an XSS app to exploit this flaw isn't as hard as it sounds because most web apps are rife with such bugs.

Scarvell published proof-of-concept code that can allow an attacker to exploit any XSS flaw and extend his access to the underlying OS. He says this flaw "can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3)."

The security researcher privately reported the bug and the Electron team has released fixes back in mid-March. It is, though, unclear how many of the Electron-based apps are vulnerable to the bug Scarvell discovered and which have integrated the patches. This flaw has received the CVE identifier of CVE-2018-1000136.

There was a whole talk about this at Black Hat USA last year, Luca Carretoni’s talk, one of the best of the show.

In particular, the NodeIntegration disaster.

It feels like nobody did anything about it since then. https://t.co/HYI7eF0uvU

— Thomas H. Ptacek (@tqbf) May 13, 2018

Article title updated to remove mention of Signal after a company spokesperson said their app is not affected. Brave also confirmed it is not affected.