{ "id": "4df3f8ad-381f-4874-9e2f-db61f28a59a8", "created_at": "2026-04-06T00:11:19.109932Z", "updated_at": "2026-04-10T03:36:48.108696Z", "deleted_at": null, "sha1_hash": "fb0a5101cb80103e43c8e0d587b41cf1d9e34c69", "title": "Vulnerability in Electron-based Application: Unintentionally Giving Malicious Code Room to Run", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 639196, "plain_text": "Vulnerability in Electron-based Application: Unintentionally\r\nGiving Malicious Code Room to Run\r\nBy CertiK\r\nPublished: 2020-07-02 · Archived: 2026-04-05 16:57:26 UTC\r\nPress enter or click to view image in full size\r\nBackground\r\nOne of our security engineers discovered a remote code execution vulnerability in the Symbol desktop wallet and\r\nreported the vulnerability through their bug bounty program. Given the nature of the issue, the Symbol team took\r\nimmediate action to update their code, and a fix was deployed in the v0.9.11 release.\r\nPress enter or click to view image in full size\r\nThough the HackerOne report is not yet public, we give many thanks to the Symbol team for allowing us to\r\ndisclose and share our findings.\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 1 of 7\n\nThe Symbol wallet is an Electron-based desktop application, and the vulnerability we found was in the Electron\r\nconfiguration itself. Before jumping into the finding, let’s briefly review what Electron is and the security aspects\r\nof its application.\r\nWhat is Electron?\r\nElectron is an open-source software framework developed and maintained by GitHub, enabling developers to\r\nbuild cross-platform desktop applications with web technologies such as HTML, CSS, and Javascript. Electron\r\ncombines the Chromium rendering engine and Node.js into a single runtime. Some well-known Electron\r\napplications include Atom editor, Visual Studio Code, and Slack.\r\nThere are a couple benefits to using Electron:\r\nWeb developers can build cross-platform desktop applications that run on different operating systems with\r\nmajor Javascript framework libraries including Angular, React and Vue-all without needing to spend the\r\nextra time to learn new programming languages.\r\nDebugging an Electron-based application is easier than traditional desktop applications. The DevTools\r\nExtension in Chromium allows developers to debug their Electron-based application the same way as a\r\nweb application.\r\nElectron security and the danger of Node.js\r\nElectron-based applications are essentially web applications, so they contain common web vulnerabilities such as\r\ncross-site scripting (XSS), SQL injection, and authentication and authorization flaws.\r\nElectron comes with a number of APIs to support the development of desktop applications, and on top of that, it\r\ncan also use Node.js modules. The access to Node.js modules allows Electron-based desktop applications to\r\nsupport more features than regular web applications that run in a web browser. However, enabling Node.js comes\r\nwith greater security risks. For example, attackers can execute system commands on the victim’s machine if they\r\ncan find a way to inject malicious Javascript into the application.\r\nChecking if Node.js is enabled\r\nTo check whether Node.js is enabled in the Electron application, users can send the module import function\r\nrequire in the development console. The development console can be opened in Chrome with\r\n\"option+command+i\" on macOS.\r\nIf Node.js is disabled, the console will return an error message, “require is not defined”, as seen in the following\r\nscreenshot:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 2 of 7\n\nWhen Node.js is disable\r\nBut if Node.js is enabled, users will see the following:\r\nPress enter or click to view image in full size\r\nWhen Node.js is enabled\r\nThe danger with enabling Node.js is that it leaves an opening for hackers to execute malicious system commands\r\nby injecting Javascript code.\r\nFor an example of how this would work, you can try sending the following command in the development console\r\nto open the calculator program in macOS:\r\nrequire('child_process').exec('/System/Applications/Calculator.app/Contents/MacOS/Calculator')\r\nPress enter or click to view image in full size\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 3 of 7\n\nTo mitigate the potential risk of system code execution caused by injected Javascript, starting from version 5.0.0,\r\nElectron has disabled access to the Node.js function by default. Developers can re-enable access to the Node.js\r\nfunction by setting the nodeIntegration to true in the build configuration file (though this is not\r\nrecommended!).\r\nNote that in 2018, a critical vulnerability was also discovered in Electron that allows attackers to re-enable\r\nNode.js integration at runtime, which would potentially lead to remote code execution. This blog explains more in\r\ndetail. The point here is that it’s important to keep your application up-to-date with the latest Electron framework\r\nrelease.\r\nHow to exploit the Symbol wallet remote code execution vulnerability\r\nNow that we know one of the items to look for when testing an Electron-based application, let’s dive into the\r\nvulnerability we discovered in the Symbol wallet.\r\nThe Symbol desktop wallet is open-source, and the source code for the application can be found in their Github\r\nrepository.\r\nGet CertiK’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe build.js file is the Electron build configuration file for their application. The code snippet below checks if the\r\napplication runs on Darwin (macOS); if not, app.on creates a new browser window with the createWindow\r\nfunction.\r\n....code...\r\n if (process.platform === 'darwin') {\r\n app.on('ready', createMac)\r\n } else {\r\n app.on('ready', createWindow)....code...\r\nIn the createwindow function, the windowOptions variable inside the function contains browser window\r\nconfiguration options. Notice the line highlighted in red-the nodeIntegration variable is set to true, which\r\nenables Node.js in the Electron application:\r\n...code...\r\nfunction createWindow() {\r\n const windowOptions = {\r\n minWidth: width,\r\n minHeight: height,\r\n width: width,\r\n height: height,\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 4 of 7\n\ntitle: app.getName(),\r\n titleBarStyle: 'hiddenInset',\r\n webPreferences: {\r\n nodeIntegration: true,\r\n },\r\n resizable: true,\r\n }\r\n....code...\r\n mainWindow = new BrowserWindow(windowOptions)\r\n}\r\nBased on the build.js configuration file, we learn that if the application runs on the Windows operating system,\r\nNode.js will be enabled. In order to take advantage of the enabled Node.js, an attacker would need to find a way to\r\nexecute arbitrary Javascript in the application. This can often be achieved by exploiting the XSS (Cross Site\r\nScripting) vulnerability, or a user unknowingly loads a remote web page embedded with Javascript that a hacker\r\ncontrols from within the Electron application.\r\nLuckily for us, the Symbol desktop wallet (release v9.7) provides a feature to view “News”. Once the user clicks a\r\nlink in the news feed, the application will navigate away from the wallet interface and loads the external website\r\n(Github, in this case) inside the current window.\r\nPress enter or click to view image in full size\r\nShow me the exploit!\r\nTo demonstrate, you can host the code snippet below on your website; it will be a trivial task to inject the URL to\r\na website over Github. With nodeIntegration set to true and Node.js enabled, arbitrary javascript execution can\r\nbe escalated to remote code execution with the help of the \"child_process\" module.\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 5 of 7\n\nAfter the user visits the infected page and clicks the “Close” button, the calculator will open on the user’s\r\ncomputer. The calculator itself is harmless, but in this example, the fact that it even opened in the target system\r\nmeans that the application was vulnerable and successfully exploited.\r\nTo see the exploit in action, check out the proof-of-concept video: https://www.youtube.com/watch?\r\nv=X5R2xC3Jcy0\r\nProof-of-Concept code snippet:\r\n\u003c!DOCTYPE html\u003e\u003ch1\u003eclick me\u003c/h1\u003e\r\n\u003cbutton type=\"button\" onClick=\"rce_calc()\"\u003eSubmit\u003c/button\u003e\r\n\u003cscript\u003e\r\n function rce_calc(){\r\n const { exec } = require('child_process');\r\n exec('calc');\r\n}\r\n\u003c/script\u003e\r\nThis example presents the steps of the exploit pretty obviously; the payload requires the user to click the button to\r\ntrigger the system command. In reality, an attacker may host a malicious script that triggers the system command\r\nexecution automatically and inconspicuously when users visit the page.\r\nSymbol resolved the issue that we detected by setting nodeIntegration to false, which disabled javascript to\r\naccess Node.js function. This change is reflected in their current build.js file. They have also updated the \"News\"\r\nfeature to prohibit the loading of remote websites into the Electron window.\r\nExploring other Electron-based cryptocurrency wallets\r\nAs a security researcher, when you exploit a vulnerability in one application, you always want to see if the same\r\ntype of vulnerability exists elsewhere. With just a quick search, we found another notable Electron-based\r\ncryptocurrency wallet: MyCrypto.\r\nAt the time of testing, we discovered MyCrypto had nodeIntegration set to true and Node.js enabled. Though\r\nwe didn't find a way to exploit the vulnerability with cross-site scripting or arbitrary page redirection inside the\r\napplication, we know best practice is to prevent hackers from turning \"self-xss\" into a command code execution.\r\nTrue to our and CertiK’s core values, we reported the issue to MyCrypto as well via their Github repository:\r\nhttps://github.com/MyCryptoHQ/MyCrypto/issues/3261\r\nAfter we reported the issue, MyCrypto stated the vulnerability will be fixed in the next release.\r\nTakeaways and Lessons Learned\r\nWith the time we spent learning the ins-and-outs of the Electron framework, we’ve put together a quick list that\r\nyou can reference to improve the security of Electron-based applications:\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 6 of 7\n\nRemove access to the development console in any production releases.\r\nSet nodeIntegration to false unless the application absolutely requires it.\r\nDisallow the application from navigating away from the main application with event.preventDefault() .\r\nDevelop the application in React, Vue, or Angular (2+) to minimize the chance of a XSS (cross site\r\nscripting) vulnerability.\r\nKeep your application up-to-date with the latest Electron framework release.\r\nRegularly review the official security guidance when developing your Electron application, which contains\r\nhelpful security recommendations.\r\nAdditionally, performing security audits and penetration tests, whether by an internal security team or third-party\r\nfirm, are important to ensure the security of your system. Security professionals will attempt to break the system\r\nwith a malicious hacker’s mindset, helping identify and remediate vulnerabilities before a bad actor exploits them.\r\nCertiK is deep-rooted in academia, but our strength is in taking the research that’s available and applying them to\r\nreal-world situations. We aim to provide value with our security-first philosophy through the use of rigorous\r\ntechniques, creative thinking, and adaptability. It is our goal and responsibility to contribute to the crypto \u0026\r\nblockchain community and help companies secure their users’ assets for a more secure experience.\r\nIf you’re interested in getting an external team to check the security of your systems, contact us for a proposal and\r\nquote at bd@certik.io\r\nReferences\r\nhttps://www.electronjs.org/docs/tutorial/security\r\nSource: https://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d0\r\n1b8\r\nhttps://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://medium.com/certik/vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8" ], "report_names": [ "vulnerability-in-electron-based-application-unintentionally-giving-malicious-code-room-to-run-e2e1447d01b8" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434279, "ts_updated_at": 1775792208, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb0a5101cb80103e43c8e0d587b41cf1d9e34c69.pdf", "text": "https://archive.orkl.eu/fb0a5101cb80103e43c8e0d587b41cf1d9e34c69.txt", "img": "https://archive.orkl.eu/fb0a5101cb80103e43c8e0d587b41cf1d9e34c69.jpg" } }