New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changes to make Electron less prone to Node.js inspector executions #8169

Open

Gioyik opened this issue Sep 26, 2022 · 1 comment

Labels

needs investigation

Gioyik commented Sep 26, 2022 •

edited

Recently I have seen an increase in people using the ability to enable the communication of the inspector mechanism of Node.js (applies to Electron based apps) to execute/spawn host applications. It has taken a few more publicity the topic https://twitter.com/evilsocket/status/1564286074536738816 lately and https://github.com/evilsocket/jscythe.

The current behavior in the tweet is patched electron/electron#33188 in latest versions of Electron, but only if the Electron app uses fuses https://github.com/electron/fuses. There are other apps like 1Password that have other packages to block this behavior, https://github.com/1Password/electron-hardener.

I want to know if this is something that should be kept in mind for the Electron app, if it applies, and what measure can be done.

jacogr added -size-m needs investigation labels

Author

Gioyik commented Sep 27, 2022

A little more history about this issue mentioned here: https://github.com/antelle/electron-evil-feature-patcher

jacogr removed @pkg apps-electron labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment