Security News > 2020 > September > It's 2020 so not only is your mouse config tool a Node.JS Electron app, it's also pwnable by an evil webpage

It's 2020 so not only is your mouse config tool a Node.JS Electron app, it's also pwnable by an evil webpage
2020-09-30 07:50

It's based on the Electron framework, which allows developers to create cross-platform desktop apps using JavaScript, Node.js, and other web technologies.

Many of the recent security improvements in Electron involve new APIs and best practices to keep Electron's main process and its access to the Node.js APIs isolated from Electron's rendering process, which runs web code.

For Heaton the issue is the architecture of the KensingtonWorks app - such as its use of a local, poorly secured web server to receive user-interface clicks - rather than the use of the Electron framework.

"The problem is running a local web server and not securing it - the fact that the app has an Electron frontend doesn't affect this. The second vulnerability does exploit the fact that Electron apps can potentially be XSS-ed if you don't sanitize your data, but so can browsers and no one grumbles about that too much."

Most desktop applications, he said, don't rely on a local web server to handle user clicks on the app interface.


News URL

https://go.theregister.com/feed/www.theregister.com/2020/09/30/kensingtonworks_mouse_flaw/