Electron spins out a patch for bad XSS bug

May 14, 2018 TH Author

Electron developers need to check their apps, after a security researcher turned up a remote code execution bug in the framework.

What TrustWave’s Brendan Scarvell found is that an attacker can turn on services beyond the developer’s intent.

A developer only needed to be a little careless, accepting defaults without explicitly turning a service off, and their application would be vulnerable.

The post noted that the framework is used by “Slack, Discord, Signal, Atom, Visual Studio Code, and Github Desktop”, among others.

Scarvell explained the conditions for an app to be vulnerable: it’s built on version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3, and the developer hasn’t manually set one of the following:

”Declared webviewTag: false in its webPreferences;
”Enabled the nativeWindowOption option in its webPreferences; or
”Intercepting new-window events and overriding event.newGuest without using the supplied options tag.”

So, what’s going on here? Setting nodeIntegration: false in an app’s webPreferences is supposed to prevent interaction with the Electron API from gaining access to the underlying Node.js – and that’s switched off by default.

The nodeIntegration: false setting also saves the developer the effort of sanitising user inputs which, if they were handled by Node.js, would enable XSS attacks.

The one bug to bring them all down – CVE-2018-1000136 (including, but not limited to: Signal Desktop, Slack, Discord, Atom, Visual Studio Code, Github Desktop) https://t.co/dPDkecJzFm #electron #vulnerability

— x0rz (@x0rz) May 12, 2018

As Scarvell explained, the vulnerability he found allowed an attacker to change the nodeIntegration setting to “true”.

The issue is in the handling of another tag, WebView, which allows a developer to “embed content, such as web pages, into your Electron application and run it as a separate process”, in combination with how Electron handles new browser windows.

An attacker, he wrote, could control the new browser window (the window.open command) to pass a WebView tag that enabled nodeIntegration (that is, set it to “true”).

Electron has provided a patch to CVE-2018-1000136 in versions 1.7.13, 1.8.4, 2.0.0-beta.4 here, along with mitigation instructions if, for some reason, a developer can’t upgrade. ®

Sponsored: Minds Mastering Machines – Call for papers now open