Electron is a widely used open source technology for building applications, making it a particularly lucrative attack target.
In a session at the DEFCON 30 security conference in Las Vegas, security researcher Aaditya Purani, detailed a series of vulnerabilities in Electron apps dubbed Electrovolt, that he and his team were able to discover over the course of a year of research.
"We were able to compromise 20 different electron applications, that are used by millions of people," Purani said.
The vulnerable applications included Microsoft Teams, VS Code, Discord, Mattermost, RocketChat, Notion and BaseCamp among others. Purani explained that Electron based apps have become increasingly common in recent years. Electron enables developers to encapsulate web applications into a desktop app which is rendered using the Chromium web browser.
"If you can build a website, then you can build a desktop application, that's the main concept behind Electron," Purani said. "Just using HTML, JavaScript, and CSS you can ship an entirely cross platform native desktop application."
While there is great power with Electron, there is also risk. A common function for developers to use within Electron is to load remote content, which is one of multiple ways that Electrovolt was able to exploit Electron apps.
"So the only thing you need to do as an attacker is to find a way to invade your JavaScript within the webpage," Purani said.
One such example that the researchers discovered is CVE-2021-43908 which is an exploit that targets Microsoft's VS Code. Purani suggests that a lesson learned from that specific flaws is that developers of electron apps should consider all windows as a part of the threat model and apply the most restrictive settings on all of them.
The Electrovolt researchers also discovered a remote code execution issue in the popular social messaging app Discord. The issue with Discord was a little more mundane in that the Discord desktop app was running with an older version of Electron, which in turn was using an older version of Chromium that was at risk. Microsoft Teams also found to be vulnerable to an account takeover risk, due in part to the fact that the application was using an older version of Electron.
The researchers also found that some applications were at risk from an attack vector known as Same Site Origin Spoofing. Purani explained that Chromium, like most modern web browsers, has a feature known as site isolation which applies different restriction to content coming from the same domain than it does for content coming from a different origin point. Chromium and Electron will update for issues as they arise, such as Same Site Origin Spoofing issues, but there is often a gap between when the primary project update and when Electron base apps update.
"There is a noticeable patch gap between chromium and electron applications, which makes most of them susceptible to this attack," Purani said. "If you are a developer who is always keeping up with the pace of Electron releases, then you should be much safer from the patch gap and it will be narrow."