Researchers find vulnerabilities in software underlying Discord, Microsoft Teams and other apps
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
A group of security researchers found a number of vulnerabilities in the software that underlies popular apps such as Discord, Microsoft Teams, Slack and many others, which are used by tens of millions of people worldwide.
In all of these cases, the researchers submitted vulnerabilities to Electron to have them fixed, earning them more than $10,000 in rewards. The errors were fixed before the researchers published their research.
Aaditya Purani, one of the researchers who found these vulnerabilities, said that “regular users should know that Electron apps are not the same as their everyday browsers,” meaning they are potentially more vulnerable.
In the case of Discord, the bug only required Purani and his colleagues to send a malicious link to a video. With Microsoft Teams, the flaw they found could be exploited by inviting a victim to a meeting. In either case, if the targets clicked on those links, hackers would have been able to take control of their computers, Purani explained in the speech.
In an interview with Motherboard after the talk, he admitted that he doesn’t run Electron apps, instead choosing to use apps like Discord or Slack in his browser, which are more hardened against hackers.
“If you’re more paranoid, I recommend using the site itself because you have the protection that Chromium has, which is much greater than the electron,” Purani said.
Still, Purani said that having Electron under so many apps is a good thing because “if you only have one framework, which runs all the apps, then you can just focus on hardening that same framework.”
For him, one of the main results of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams.
“Don’t click on shady links,” Purani said.
Correction: an earlier version of this article incorrectly stated that Spotify is built on Electron, when in fact it is not. We apologize for the error.
Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.