
Electron Bug - NodeIntegration Bypass - dschuetz
https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/
======
tptacek
Someone should point out --- and it should have occurred to me earlier to look
into this and point it out myself, and I should catch some flack for that ---
that the Trustwave bug is situational, but is reported as if it impacts all
Electron applications.

In fact, a good number of Electron apps, including Signal and Slack, are
confirmed _not vulnerable_ to this particular bug, despite the misleading way
the report was written. (There's another bug being talked about which is
adding to the confusion).

The authors of this report should update it to clarify, rather than simply
naming the most popular Electron apps as a means of whipping up attention.

~~~
pvg
Isn't it mostly confusion with the Signal XSS report? The Trustwave thing
doesn't come out and say any particular app is vulnerable.

~~~
tptacek
It probably is, but then, that would suggest that they should be extra careful
about not saying they found a Signal vulnerability, right?

~~~
pvg
They don't really say that but I'm in violent agreement they should have been
much more clear and explicit. At the same time, you were just talking about a
BlackHat presentation which you feel didn't get sufficient attention, possibly
due to a lack of awareness the tech in question is at the core of a bunch of
popular apps. The presentation mentions no specific apps at all. So this thing
seems like a bit of threading that needle poorly and also some bad timing.
It's not like they bought the domain jitterbugdoor.exposed and splattered
'Signal Degradation through Electron Degeneracy Pressure' across it.

------
tptacek
The security story on Electron is pretty grim; it's an environment where you
can plausibly say that DOM injection (cross-site scripting) is equivalent to
RCE. Luca Carretoni broke this news last year at Black Hat, but didn't seem to
get too much attention (I don't think many security people knew what a big
deal Electron was in the dev community).

[https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni...](https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-
Electronegativity-A-Study-Of-Electron-Security-wp.pdf)

~~~
dschuetz
And it isn't getting much attention on HN, ironically. Oh well...

------
Sindisil
I wonder how widespread the issue might actually be, given the description at
the end:

" can allow for remote code execution provided that the application is using a
vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3)
, and hasn't manually opted into one of the following:

* Declared webviewTag: false in its webPreferences.

* Enabled the nativeWindowOption option in its webPreferences.

* Intercepting new-window events and overriding event.newGuest without using the supplied options tag. "

~~~
falcolas
Is there a way to tell what version of electron an app is using?

These aren't old versions - 2 months in one case.

------
klaustopher
Slack already confirmed that they are not vulnerable:
[https://twitter.com/SlackHQ/status/995444608002875392](https://twitter.com/SlackHQ/status/995444608002875392)

------
chmars
Apps using Electron are – among others – Signal, Slack and Zoom:

[https://electronjs.org/apps](https://electronjs.org/apps)

~~~
joeyspn
And Skype, VS Code, etc...

~~~
andyfleming
And Atom

