Popular Apps Like Skype and Slack Potentially Vulnerable to a Framework Security Flaw

Author Photo
Jan 24, 2018
13Shares
Submit

A critical security flaw in a popular framework is affecting a huge number of desktop apps, including the likes of Skype and Slack. The vulnerabilities affect the Electron desktop apps, a framework created for development of cross-platform desktop apps using basic web technologies like JavaScript, HTML, and CSS.

While it’s compatible with Windows, Mac, and Linux, the flaw only appears to be affecting Windows. Since its creation in 2013 by the GitHub team, the framework has become extremely popular, enabling app developers to create cross-platform applications. The list of apps using Electron include (doesn’t mean they are vulnerable):

pr-dahua-surveillance-camera-integration-enRelated QNAP Extends Surveilance Intergration Scale with Dahua Technology Network Cameras

  • Skype (latest version carries the security fix)
  • Visual Studio Code
  • Basecamp
  • GitHub (Atom Editor)
  • Ghost
  • Signal
  • Slack
  • Twitch
  • WordPress.com and others

However, the vulnerability depends on how the developer has used the Electron protocol. Tracked as CVE-2018-1000006, the flaw is a remote code execution vulnerability that affects all the Electron apps using custom protocol handlers. Apps designed to run on Windows that register themselves as the default handler for a protocol, such as myapp:// are vulnerable. Using this vulnerability, attackers can remotely execute code, leading to app hijacking and potential data loss.

Affected Platforms

Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.

macOS and Linux are not vulnerable to this issue.

This Protocol Handler vulnerability has been fixed with the new versions of Electron: 1.8.2-beta.4, 1.7.11, and 1.6.16. Developers said that app developers who cannot update their apps immediately can use this workaround for a temporary fix. Several developers have already included this fix, making it important for end users to update their apps at the earliest. Since the flaw only affects Windows, Microsoft has also updated Windows Defender to safeguard against this vulnerability.

Correction: an earlier version of this piece incorrectly mentioned Brave in the affected list of apps.

Submit