In an update last week, the developers of Electron – the toolkit used to craft widely used apps from Skype and Slack to Atom – shipped a patch to their January patch, and now, an infosec researcher has explained why.
That security hole can be exploited to run arbitrary commands on a Windows PC by making a victim click on a maliciously crafted URL. It was patched on January 22, however, Luca Carettoni of Doyensec – formerly a security researcher at LinkedIn who turned up a dud patch in Adobe Flash in 2015 – took a close look at the tweaks and discovered a problem.
On Thursday this week, Carettoni wrote that while looking for missed flags in the January Electron patch, Doyensec “noticed that host-rules was absent from the blacklist. With this flag, one may specify a set of rules to rewrite domain names for requests issued by
So what? It turned out to be exploitable “by overriding the host definitions in order to perform completely transparent man-in-the-middle” attack, allowing information to be siphoned from the application or allowing the execution of arbitrary commands. Wonderful.
In a proof-of-concept video, Doyensec showed how the Windows version of Skype, built using Electron, could be tricked into forwarding “all Chromium traffic” to a malicious domain.
“Please note it is only possible to intercept traffic generated by Chromium, and not Node. For this reason Electron’s update feature, along with other critical functions, are not affected by this vulnerability,” Carettoni added.
In case they missed it, developers should get Electron's May 16 releases, v2.0.1, v1.8.7, and v1.7.15, which contain an improved blacklist, and Electron told Carettoni a “more resilient” patch will be delivered later.
And once programmers have updated their Electron-based apps, if the code is vulnerable, they should push the new versions out to users. And if you use an Electron-powered program, get ready to install any updates that come along as soon as possible. ®