Chromium vulnerabilities threaten Electron app security
Posted on
by
Kirk McElhearn
In the past week, we have seen two serious vulnerabilities for the Chromium web browser codebase used in browsers such as Chrome, Edge, Brave, Opera, and Vivaldi. Both of these vulnerabilities have been observed to be used in the wild; in other words, they have been actively exploited. Updating these browsers is essential for user security.
Google Chrome, Microsoft Edge, and Vivaldi all patched the first vulnerability on April 14. Brave updated its browser the following day, and Opera waited until April 18 to release an update. The second vulnerability led to updates to Chrome, Edge, Brave, and Vivaldi on April 19. Opera has not, at the time of this writing, patched the second vulnerability.
But what many users may not realize is that lots of other apps that aren’t web browsers also use the Chromium browser codebase, and may be impacted by Chromium security issues. Apps based on the popular Electron framework are of particular concern because it’s used by many popular apps, as we will explore below. Here’s what you need to know—whether you’re a user or a developer of Electron apps.
In this article:
- What is Electron?
- Chromium and Electron
- Electron apps and security
- Zero-click exploits and delays in patch deployment
- The danger of Electron apps using unpatched Chromium
- Key takeaways for developers of Electron apps
- Key takeaways for users of Electron apps
- How can I learn more?
What is Electron?
Electron is a cross-platform software framework used to make desktop apps using web technologies. Many popular apps are based on Electron, and run on macOS, Windows, and Linux—and you probably use some of them.
Some of the most well-known and widely used Electron apps include the desktop versions of 1Password, Discord, Dropbox, Figma, GitHub, Microsoft Teams, Notion, Obsidian, Signal, Skype, Slack, Trello, Twitch, WhatsApp, WordPress, and Zoom. This is just a partial list of some of the most popular apps that utilize the Electron framework. You may even find Electron-based apps in the Mac App Store.
Chromium and Electron
The Chromium project is an open-source browser codebase encompassing the Blink and V8 rendering engines and other technologies.
It’s a lot like the WebKit project, upon which Apple bases its own Safari browser. Apple also uses the WebKit engine to render content in other apps. These include Mail, News, and Stocks, displaying content from web pages, interpreting HTML, CSS, JavaScript, and other code.
Similarly, Chromium’s codebase is not just used for Chrome and other browsers; it’s also the basis for page rendering in Electron apps and other apps.
Electron apps and security
Since Electron is based on Chromium, software vulnerabilities in Chromium can affect the security of Electron-based apps. Browser codebases like Chromium and WebKit can display web pages, but can also be used to display entire app interfaces. The vulnerabilities discovered recently can have serious implications, but only when they display external or user-provided HTML content.
The description for the vulnerability patched on April 19 says it could “allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.” This means that if software using Chromium loads certain web pages, malicious software may have access to elements of the user’s system that are normally off limits.
Many of the Electron apps mentioned above don’t render HTML pages as such; they are not web browsers, but use Chromium to render interface elements for apps. However, some of these apps, such as Skype, Slack, and WhatsApp, may display rich previews of URLs shared in chats. In such cases, they may be affected by these recent vulnerabilities.
Maliciously crafted web pages, even when just displayed as a rich preview, could potentially impact user security. The app essentially “opens” the web page to create the preview, and this can lead to zero-click exploits.
(Note that if an app generates previews via a remote server instead, this can mitigate client-side rendering vulnerabilities. However, this also potentially threatens users’ privacy, especially if they’re sharing private URLs only intended for the recipient.)
Zero-click exploits and delays in patch deployment
Recently, several zero-click exploits were discovered targeting iOS users, and at least one of these was mitigated by using Apple’s Lockdown Mode, a technology we’ve discussed various times on the Intego Mac Podcast. One of the features of Lockdown Mode is that it blocks links and link previews in the Messages app.
As Electron itself points out, “displaying arbitrary content from untrusted sources poses a severe security risk that Electron is not intended to handle.” Electron does not update its software with every Chromium security update; in fact, the company says, “Electron keeps up to date with alternating Chromium releases.”
This means that these recent Chromium security updates may not be incorporated into Electron until May 30, according to Electron’s release timeline. For reference, the last time a new version of Chromium was incorporated into Electron was April 14; however, the previous version of Chromium was utilized, not the Chromium version that included that day’s urgent security fix.
But even when the Electron framework incorporates a patched version of Chromium, that’s not where the potential problems end.
It’s also worth pointing out that there can be other vulnerabilities in Electron, unrelated to Chromium.
Moreover, after each time the Electron framework gets updated, it’s then up to software vendors to update their apps to use the newest framework. In some cases, this can take a long time. Some apps issue update at their own cadence, regardless of updates to Electron. Zoom updates its app every few days, whereas Skype updates its app much less frequently (roughly every month). Slack sometimes goes several months between updates.
The danger of Electron apps using unpatched Chromium
It’s important to understand that if you use Electron apps that can render link previews on the client side, or display other user-provided web code, your security depends on the long chain of updates to Chromium, then Electron, then each individual Electron-based app you use.
While there can be other security vulnerabilities that affect Electron apps, its dependence on the high-value target Chromium, and the time it takes for Electron to update its framework for Chromium patches, means that it is often possible for these vulnerabilities to be exploited in Electron apps.
Key takeaways for developers of Electron apps
If you’re a developer of an Electron-based app, always update your app to the latest Electron framework quickly to help protect your users’ security. Frequently updating your app’s Electron framework helps users avoid being harmed by both Chromium-related and other Electron vulnerabilities.
If your app displays rich previews generated on the client side, or allows for the rendering of external or user-provided web content in any way, it’s best to turn these features off by default. You can offer users a setting to enable such previews if they understand and accept the risks.
Key takeaways for users of Electron apps
If you use an Electron-based app that hasn’t been updated recently, and if you know that the app displays link previews or web content in any way, contact the app’s developer to ask them to keep the Electron framework updated for security reasons. You may want to point them to this article.
Also, if the app offers you the ability to disable automatic link previews, it’s best to do so for your own safety.
How can I learn more?
Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, including security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes. You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: 
