Cybersecurity researchers have discovered a flaw in Electron, the popular framework used by many apps, including Discord and Spotify. This allows any hacker with the knowledge to easily take possession of his victim’s account. Fortunately, Electron’s developers have been notified and have fixed the vulnerability.
That a flaw is in an application is bad enough in itself, but when it is in a framework used by many very popular applications, we face a real security problem. This is precisely what happened to Electron. If you don’t know this name, there is a very good chance that you use it daily.
Electron is indeed the reference framework for web applications that want to offer a desktop version to their users. It is thus on the latter that Discord, Spotify, and globally several online messaging services such as Microsoft Teams, which each have tens of millions of users, are based. However, during the Black Hat conference held this Thursday, August 11 in Las Vegas, a group of researchers revealed that it is very easy to hack Electron and, de facto, the applications that use it.
Related — Spotify: Fake Artists Hack Accounts to Generate Fake Plays
All Electron-based apps were vulnerable due to this big flaw
The researchers thus took the example of Discord, which made the task particularly easy for hackers. Indeed, all they had to do was send a malicious link (links which already abound on the platform) to a video to their victim to take possession of their account. Very bad news for messaging which is already plagued by multiple hacker attacks.
For Microsoft Teams, a simple meeting invitation is enough. The sent link allowed hackers to control their target’s PC. “Ordinary users should know that Electron apps are not the same as their everyday browsers,” says Aaditya Purani, who himself admits to never using Electron apps. The researchers reported their finding to the framework’s developers, who quickly patched the flaw.
Source: Vice