Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Slack and many others, which are used by tens of millions of people all over the world.
In all these cases, the researchers submitted vulnerabilities to Electron to get them fixed, which earned them more than $10,000 in rewards. The bugs were fixed before the researchers published their research.
Aaditya Purani, one of the researchers who found these vulnerabilities, said that “regular users should know that the Electron apps are not the same as their day-to-day browsers,” meaning they are potentially more vulnerable.
In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers, Purani explained in the talk.
In an interview with Motherboard after the talk, he admitted that he doesn’t run Electron apps, instead opting for using apps like Discord or Slack inside his browser, which is more hardened against hackers.
“If you are more paranoid, I recommend using the website itself because then you have the protection which Chromium has, which is much larger than the Electron,” Purani said.
Still, Purani said that it’s a good thing to have Electron underlie so many apps because “if you have just one framework, which is running all the apps, then you can just focus on hardening that same framework.”
For him, one of the main takeaways of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams.
“Don’t click on shady links,” Purani said.
Correction: a previous version of this article mistakenly stated Spotify is built on Electron, when it actually is not. We regret the error.