Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Improper Electron Security Practices (CSP)

See original GitHub issue

Upon reviewing this project’s “injector” code, it appears it disables numerous security features implemented by Discord to ensure remote code is sufficiently sandboxed from the operating system. As it stands, this software is a walking remote code execution waiting to happen.

  1. Node Integration Enabled
        options.webPreferences.nodeIntegration = true;

This software leaks node integration into the main window. This means the window has access to directly modify the file system and execute arbitrary commands.

  1. Remote Module Enabled
        options.webPreferences.enableRemoteModule = true;

This software enables Electron’s remote module in the main window. This means the window has access to send direct IPC commands which can be used to execute arbitrary code. The remote module is also being removed in the next version of Electron, so you will have to fix this anyways when that occurs.

  1. Context Isolation Disabled
        options.webPreferences.contextIsolation = false;

This software disables Electron’s context isolation, which forces browser code to run in a separate context from main window code. This prevents attackers from doing things like polluting prototypes which may expose access to restricted functions that escalate access to execute arbitrary commands.

  1. Content Security Policy (CSP) Disabled
// Remove the CSP
const removeCSP = () => {
    electron.session.defaultSession.webRequest.onHeadersReceived(function(details, callback) {
        if (!details.responseHeaders["content-security-policy-report-only"] && !details.responseHeaders["content-security-policy"]) return callback({cancel: false});
        delete details.responseHeaders["content-security-policy-report-only"];
        delete details.responseHeaders["content-security-policy"];
        callback({cancel: false, responseHeaders: details.responseHeaders});

// Remove CSP immediately on linux since they install to discord_desktop_core still
if (process.platform == "win32" || process.platform == "darwin")"ready", removeCSP);
else removeCSP();

CSP exists to mitigate and prevent attacks around most XSS and content injection. If someone finds XSS in Discord, the lack of 1, 2, and 3 listed above would directly result in remote code execution.

Security of Electron is not to be taken lightly as there are many foot-guns. By releasing software like this and encouraging people to install it, you are putting users at risk without taking proper steps to keep Electron secure. I would strongly encourage you to read up on the best security practices for Electron at and apply those to this project.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Reactions:93
  • Comments:30 (15 by maintainers)

github_iconTop GitHub Comments

ObserverOfTimecommented, Sep 7, 2020

If someone finds XSS in Discord, that’s Discord’s fault.

nightcommented, Sep 7, 2020

Seriously… If Discord wanted to be at least somewhat secure, they’d install into %ProgramFiles% (like Skype does) instead of some random location where literally any application run with normal user privileges can mess with it. Note that Discord’s forced auto-updates at application startup can also inject code at will. The machine is compromised long before any v8 context isolation would happen.

Discord does have improvements planned for downloading and updating, but I just want to highlight that these are completely different attack vectors.

Discord’s app displays a remote website which is being given direct access to remotely execute code by this software. In an example attack scenario, arbitrary user data which somehow gets access to run JavaScript would essentially be a 0-day. To exploit app updates, Discord’s distribution channels would need to be forced to serve an exploit. Given the attack surfaces listed, the former is more likely to occur since user-generated content is accessible from clients and there is much more surface area for attack.

Arguing that all security should go out the window because of us installing to AppData is also a pretty irresponsible way of thinking as a developer. Security is built in layers, with the end goal being that the attack surface area is sufficiently reduced. It is everyone’s job to think about security.

I think it’s important to state that these security prefs are disabled on purpose to give freedom to plugins and themes.

Sure, we could enable them back on, but that would have to come with major trade-offs that doesn’t seem to be worth doing to an existing client mod.

It’s unfortunate that you believe security and client mods to be mutually exclusive. While making a client mod work properly in a sandboxed environment will require some amount of work, the end result here is for the benefit of users. If you have specific questions regarding Electron I can try to offer you direction/advice, but all of the listed security issues are usually solvable problems.

Read more comments on GitHub >

github_iconTop Results From Across the Web

A Content Security Policy (CSP) is an additional layer of protection against cross-site-scripting attacks and data injection attacks. We recommend that they be ......
Read more >
Electron CSP ⟶ Avoiding the Insecure ...
This renderer process has either no Content Security Policy set or a policy with "unsafe-eval" enabled. This exposes users of this app to...
Read more >
Security, Native Capabilities, and Your Responsibility
A Content Security Policy (CSP) is an additional layer of protection against cross-site-scripting attacks and data injection attacks. We recommend that they be ......
Read more >
The negative impact of incorrect CSP implementations
Content Security Policy (CSP) is an effective client-side security measure that is designed to prevent vulnerabilities such as Cross-Site ...
Read more >
CSP in Electron
How to publish Content Security Policy in Electron.js, ... you can publish CSP only via Content Security Policy meta tag. ... Bad practice:...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found