When working with Electron, it is important to understand that Electron is not a web browser. It allows you to build feature-rich desktop applications with familiar web technologies, but your code wields much greater power. JavaScript can access the filesystem, user shell, and more. This allows you to build high quality native applications, but the inherent security risks scale with the additional powers granted to your code.
With that in mind, you should never ever load links to external websites inside the Electron context.
Agama opens links to:
- https://komodoplatform.com
- https://sprnt.slack.com
- https://docs.google.com/forms/
- https://kmd.explorer.supernet.org
These are all opened inside the Electron context.
There may be more links but those were the only ones I found.
This means any of those sites can gain access to the electron
module and use it's remote.require
functionality to require native Node.js modules and communicate with the main Node.js process via IPC. It could then require the Node.js child_process
module and use this to issue shell commands to the operating system.
It's just a single line of code:
> require('electron').remote.require('child_process').execSync('cat /etc/passwd').toString()
`root:!:0:0::/:/usr/bin/bash
alice:!:1:1::/usr/bin/bash:
bin:!:2:2::/usr/bin/bash:`
This includes third party JavaScript for ads and analytics etc, any JavaScript running on any of those remote sites has full access to the users machine. They can install backdoors, key loggers, steal keys, look for other wallet files, anything.
For example, here is a screenshot of some JavaScript running in the context of the https://sprnt.slack.com popup window and running arbtirary shell commands on my machine.
All external websites should be opened in the default browser by the operating system.
Also, the Electron security documentation is well worth a read, it explains how you can prevent vulnerabilities such as this: https://github.com/electron/electron/blob/master/docs/tutorial/security.md
Fixed in this PR: KomodoPlatform/EasyDEX-GUI#35