Hacker News new | comments | ask | show | jobs | submit login
Electron Bug - NodeIntegration Bypass (trustwave.com)
30 points by dschuetz 8 months ago | hide | past | web | favorite | 13 comments

Someone should point out --- and it should have occurred to me earlier to look into this and point it out myself, and I should catch some flack for that --- that the Trustwave bug is situational, but is reported as if it impacts all Electron applications.

In fact, a good number of Electron apps, including Signal and Slack, are confirmed not vulnerable to this particular bug, despite the misleading way the report was written. (There's another bug being talked about which is adding to the confusion).

The authors of this report should update it to clarify, rather than simply naming the most popular Electron apps as a means of whipping up attention.

Isn't it mostly confusion with the Signal XSS report? The Trustwave thing doesn't come out and say any particular app is vulnerable.

It probably is, but then, that would suggest that they should be extra careful about not saying they found a Signal vulnerability, right?

They don't really say that but I'm in violent agreement they should have been much more clear and explicit. At the same time, you were just talking about a BlackHat presentation which you feel didn't get sufficient attention, possibly due to a lack of awareness the tech in question is at the core of a bunch of popular apps. The presentation mentions no specific apps at all. So this thing seems like a bit of threading that needle poorly and also some bad timing. It's not like they bought the domain jitterbugdoor.exposed and splattered 'Signal Degradation through Electron Degeneracy Pressure' across it.

The security story on Electron is pretty grim; it's an environment where you can plausibly say that DOM injection (cross-site scripting) is equivalent to RCE. Luca Carretoni broke this news last year at Black Hat, but didn't seem to get too much attention (I don't think many security people knew what a big deal Electron was in the dev community).


And it isn't getting much attention on HN, ironically. Oh well...

I wonder how widespread the issue might actually be, given the description at the end:

" can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3) , and hasn't manually opted into one of the following:

* Declared webviewTag: false in its webPreferences.

* Enabled the nativeWindowOption option in its webPreferences.

* Intercepting new-window events and overriding event.newGuest without using the supplied options tag. "

Is there a way to tell what version of electron an app is using?

These aren't old versions - 2 months in one case.

Slack already confirmed that they are not vulnerable: https://twitter.com/SlackHQ/status/995444608002875392

Apps using Electron are – among others – Signal, Slack and Zoom:


And Skype, VS Code, etc...

And Atom

And Github Desktop, to name another major Electron project.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact