{ "id": "978a7c40-ef43-41c9-a40d-b109f4ae1ff9", "created_at": "2026-04-06T00:09:31.675619Z", "updated_at": "2026-04-10T13:11:36.430271Z", "deleted_at": null, "sha1_hash": "84f5f38554647466cfccadde0623159cdf4fa763", "title": "Security of Electron-based desktop applications", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2382514, "plain_text": "Security of Electron-based desktop applications\r\nBy Alanna Titterington\r\nPublished: 2023-09-14 · Archived: 2026-04-05 15:25:04 UTC\r\nEarly this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such\r\napplications use the Electron framework is one of them. This means that such a messenger works as an additional\r\nbrowser in your system, and its updates are quite difficult to control.\r\nBut, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only\r\nmessengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many\r\nmore browsers than you think in your system this very minute…\r\nWhat is Electron, and why do application developers want to use it?\r\nElectron is a cross-platform desktop application development framework that employs web technologies —\r\nmostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its\r\noriginal name — Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an\r\nextremely popular tool used to create desktop applications for various operating systems, including Windows,\r\nmacOS, and Linux.\r\nMain page of the Electron framework official site. Source\r\nElectron itself is based on the Chromium browser engine, which is responsible for displaying web content within a\r\ndesktop application. So any Electron application is effectively a single website opened in the Chromium browser.\r\nhttps://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nPage 1 of 6\n\nUsers usually have no idea at all how the thing works. From their point of view, an Electron application is just\r\nanother program you install, run in the usual way, give access to some files, occasionally update to the newest\r\nversion, and so on.\r\nWhy has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one\r\nmight want to create, a web version is still needed. And the Electron framework allows you to develop just the\r\nweb version and, based on it, produce full-fledged apps for all the desktop operating systems out there.\r\nElectron’s other convenience features include making installation packages, their diagnostics, publication to app\r\nstores, and automatic updates.\r\nEt tu autem, Brute! You can find Electron in apps you least expect to\r\nhttps://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nPage 2 of 6\n\nSumming up, the Electron framework is popular among developers — most particularly as it allows to greatly\r\naccelerate and simplify the application development process for all desktop operating systems in one go.\r\nIssues with Electron-based applications\r\nElectron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their\r\nsluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No\r\nwonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it\r\noperates through that browser — serving as a sort of intermedium.\r\nNext issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based\r\napp there’s a separate instance of the Chromium web browser. This means your system may have a dozen\r\nadditional browsers installed, all of which present a tempting target for criminals.\r\nNew, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year\r\nmore than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of\r\nwriting. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means\r\nthat a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re\r\nvulnerabilities that can be used for attacks by cybercriminals out in the wild.\r\nEven in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source\r\nFor the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and\r\nrather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their\r\nprecious tabs after restarting so they don’t need to fear updating).\r\nhttps://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nPage 3 of 6\n\nThings are very different for the Electron-based apps. A Chromium browser built into such an app will only get\r\npatched if the app’s vendor has released a new version and successfully communicated to users the need to install\r\nit.\r\nSo it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on\r\nyour system, but also little to no control over how updated and secure those browsers are, or how many unpatched\r\nvulnerabilities they contain.\r\nThe framework’s creators know full well about the problem, and strongly recommend that app developers release\r\npatches on time. Alas, users can only hope that those recommendations are followed.\r\nAnd here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome.\r\nAt that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds\r\nmemory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is\r\npresent in Chromium and all Electron-based applications. So, all companies using it in their applications will have\r\nto work on updates.\r\nWhich desktop applications are based on Electron?\r\nNot many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are\r\nusing more than one of them. Check them out yourself:\r\n1Password\r\nAgora Flat\r\nAsana\r\nDiscord\r\nFigma\r\nGitHub Desktop\r\nHyper\r\nLoom\r\nMicrosoft Teams\r\nNotion\r\nObsidian\r\nPolyplane\r\nPostman\r\nSignal\r\nSkype\r\nSlack\r\nSplice\r\nTidal\r\nTrello\r\nTwitch\r\nVisual Studio Code\r\nWhatsApp\r\nhttps://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nPage 4 of 6\n\nWordPress Desktop\r\nI personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).\r\nThat list is not exhaustive at all though, representing only the most popular Electron-based applications. In total\r\nthere are several hundred such applications. A more or less complete list of them can be found on a special page\r\non the official website of the framework (but, it seems, not all of them are listed even there).\r\nThe list of Electron-based desktop applications comprises several hundred online services, including about 20\r\nreally popular ones. Source\r\nSecurity considerations\r\nSo how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably\r\nembedding into desktop apps? I have three main tips regarding this:\r\nMinimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very\r\nfact of using the framework normally suggests that the service has an extremely advanced web version,\r\nwhich is most likely on a par with the desktop application in terms of features and convenience.\r\nTry to inventory all Electron-based apps used by your company’s employees, and prioritize their updates.\r\nMore often than not, these are collaboration applications of different forms and shades — from Microsoft\r\nTeams, Slack, and Asana, to GitHub and Figma.\r\nUse a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are\r\nalready known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky\r\nproducts have an exploit protection system: it helps our experts detect the exploitation of new, as yet\r\nunknown vulnerabilities, and warns the developers of the corresponding programs about these holes.\r\nhttps://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nPage 5 of 6\n\nSource: https://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nhttps://www.kaspersky.com/blog/electron-framework-security-issues/49035/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.kaspersky.com/blog/electron-framework-security-issues/49035/" ], "report_names": [ "49035" ], "threat_actors": [ { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434171, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/84f5f38554647466cfccadde0623159cdf4fa763.pdf", "text": "https://archive.orkl.eu/84f5f38554647466cfccadde0623159cdf4fa763.txt", "img": "https://archive.orkl.eu/84f5f38554647466cfccadde0623159cdf4fa763.jpg" } }