An anonymous reader quotes Motherboard’s post: A group of security researchers has found a series of vulnerabilities in the software that underlies popular programs like Discord, Microsoft Teams, Spotify and many others that are used by tens of millions of people around the world. At the Black Hat cybersecurity conference in Las Vegas on Thursday, the researchers presented their findings, detailing how they were able to hack into people using Discord, Microsoft Teams and the Element chat app using the software that underpins them all: Electron , which is a framework built on the open source Chromium and cross-platform JavaScript environment Node JS. In all of these cases, the researchers submitted the vulnerabilities to Electron to be patched, earning them more than $10,000 in rewards. The errors were corrected before the researchers published their study.
Aaditya Purani, one of the researchers who discovered the vulnerabilities, said that “regular users should be aware that Electron applications are different from their everyday browsers,” meaning they are potentially more vulnerable. In the case of Discord, the bug Purani and his colleagues discovered only required sending a malicious link to a video. In Microsoft Teams, the detected bug could be exploited by inviting the victim to a meeting. In both cases, if the targets clicked on those links, the hackers would be able to take control of their computers, Purani explained in the interview. For him, one of the main findings of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams.
