When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Critical vulnerability affects Electron-based Skype, Slack and more on Windows

Neowin · · Hot! with 23 comments

Electron is a widely used open source framework for developing native applications with web technologies like JavaScript, HTML, and CSS. It is compatible with Windows, Mac and Linux, and companies like Microsoft, Facebook, Slack, and others have used it to build lots of apps.

As reported by cyberscoop, a critical vulnerability that allows remote code execution was found to affect some Electron-based apps that run on Windows, but not on Mac or Linux. In order to be vulnerable, an app must also register itself as the default handler for a protocol, such as app://.

Apps use such protocols to streamline the linking between them, so that a user can, for example, click on a link in a web browser or supported app and be redirected to a specific instance of the protocol's handler app. This kind of feature is used by several apps, but not all of those built on Electron. Skype, for example, sets itself as the handler of skype://, while Slack does the same with the protocol slack://. Both Slack and the new Skype are built on Electron and, therefore, are vulnerable.

Several other Windows desktop apps are built on Electron, including the encrypted messaging app Signal, the audio chat app Discord and the content management system WordPress.

Fortunately, Electron has already updated the framework with a patch for the vulnerability and urges developers to do the same with their apps. Both Microsoft and Slack have also confirmed that their apps are already patched and urged all users to update their Skype or Slack for desktop apps immediately. Slack for desktop is secure starting from its 3.0.3+ version, while a Microsoft spokesperson told cyberscoop that the patch was applied for "the newest version of Skype."

For those developers who cannot update their apps right away, appending "--" as the last argument when calling app.setAsDefaultProtocolClient could prevent the bug from being triggered, according to ZDNet.

But since Electron does not detail which apps make use of protocol handlers on Windows, it is not possible to know exactly which apps were affected. Therefore, as a matter of precaution, end users should always keep their applications up-to-date in order to benefit from the latest security patches.

Source: cyberscoop

Report a problem with article
Next Article

DICE working on a revamped progression system for Star Wars Battlefront II

Previous Article

Moto G5 Plus Prime Edition lockscreen can be bypassed by tapping on the ad [Update]

Join the conversation!

Login or Sign Up to read and post a comment.

23 Comments - Add comment