Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the darkish underbelly of the web.
A gaggle of safety researchers discovered a sequence of vulnerabilities within the software program underlying well-liked apps like Discord, Microsoft Groups, Slack and plenty of others, that are utilized by tens of thousands and thousands of individuals everywhere in the world.
On the Black Hat cybersecurity convention in Las Vegas on Thursday, the researchers introduced their findings, detailing how they might have hacked individuals who use Discord, Microsoft Groups, and the chat app Factor by exploiting the software program underlying all of them: Electron, which is a framework constructed on the open supply Chromium and the cross-platform javascript surroundings Node JS.
In all these circumstances, the researchers submitted vulnerabilities to Electron to get them fastened, which earned them greater than $10,000 in rewards. The bugs have been fastened earlier than the researchers revealed their analysis.
Aaditya Purani, one of many researchers who discovered these vulnerabilities, mentioned that “common customers ought to know that the Electron apps should not the identical as their day-to-day browsers,” which means they’re doubtlessly extra susceptible.
Within the case of Discord, the bug Purani and his colleagues discovered solely required them to ship a malicious hyperlink to a video. With Microsoft Groups, the bug they discovered might be exploited by inviting a sufferer to a gathering. In each circumstances, if the targets clicked on these hyperlinks, hackers would have been in a position to take management of their computer systems, Purani defined within the discuss.
In an interview with Motherboard after the discuss, he admitted that he doesn’t run Electron apps, as an alternative choosing utilizing apps like Discord or Slack inside his browser, which is extra hardened towards hackers.
“If you’re extra paranoid, I like to recommend utilizing the web site itself as a result of then you could have the safety which Chromium has, which is far bigger than the Electron,” Purani mentioned.
Nonetheless, Purani mentioned that it’s a very good factor to have Electron underlie so many apps as a result of “when you’ve got only one framework, which is working all of the apps, then you’ll be able to simply give attention to hardening that very same framework.”
For him, one of many most important takeaways of their analysis is that Electron is dangerous exactly as a result of customers are very prone to click on on hyperlinks shared in Discord or Microsoft Groups.
“Do not click on on shady hyperlinks,” Purani mentioned.
Correction: a earlier model of this text mistakenly said Spotify is constructed on Electron, when it truly is just not. We remorse the error.
Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.
