Security researchers have found a security flaw in
Electron, a software framework that has been used in the past half-decade for building a wealth of popular desktop applications.
Apps built on top of Electron include Microsoft's Skype and Visual Studio Code, GitHub's Atom code editor, the Brave browser, along with official desktop apps for services like Signal, Twitch, Discord, Basecamp, Slack, Ghost, WordPress.com,
and many more.
The framework has become very popular among today's software development community because it allows developers to easily port web-based apps coded in HTML, JS, and CSS to run on the desktop. The software framework is a custom API wrapped around the Node.js server-side JavaScript server.
Electron and its dangerous Node.js APIs and modules
When building Electron-based apps, developers have the options of using a limited environment by using mostly the Electron API, but they can also tap into the Node.js APIs and its modules.
Because the Node.js project is a more mature project, Node's APIs and built-in modules provide a deeper integration with the underlying OS and allow the developer and the app access to more OS features.
The Electron team was aware of this problem and created a mechanism that prevents attacks on Electron-based apps from tapping into these APIs to harm the underlying OS.
