Serious security flaws discovered in software behind Microsoft Teams and Discord

A group of security researchers have uncovered a range of vulnerabilities in the Electron framework used by popular desktop apps like Discord and Microsoft Teams.

Motherboard reports the team detailed their findings at the Black Hat cybersecurity conference in Las Vegas on Thursday, explaining how they could have taken complete control of victims’ systems simply by having them click on a link within the apps.

The Electron framework is built on open source Chromium and the cross-platform JavaScript environment Node JS. Using web technologies, it lets developers make dedicated desktop apps used by hundreds of millions of users.

In Discord, the victim only has to click on a malicious video link, while the bug in Microsoft Teams could be exploited by inviting a target to a meeting with a malicious link.

Fortunately, the vulnerabilities were submitted by the researchers to Electron for patching.

The company rolled out fixes before the researchers published their findings and paid the hackers over $10,000 in rewards.

Nevertheless, one of the researchers, Aaditya Purani, recommended that people use browser-based apps instead of their dedicated versions for added security.

“Regular users should know that the Electron apps are not the same as their day-to-day browsers,” Purani said.

“If you are more paranoid, I recommend using the website itself because then you have the protection which Chromium has, which is much larger than Electron.”

Aside from the apps mentioned above, Electron is used in over 750 other desktop apps, including WhatsApp, Slack, Spotify, and YouTube Music.

However, the researchers did not share any exploits they were able to execute on other apps.


Now read: AMD Zen chips vulnerable to multi-threading attack

Latest news

Partner Content

Show comments

Recommended

Share this article
Serious security flaws discovered in software behind Microsoft Teams and Discord