alt Hacker NewsI would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.
Replies
captn3m0 • yesterday at 5:37 PM
I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.
I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.
stingraycharles • today at 2:13 AM
Isn’t the threat model for these desktop apps entirely different?
nicoburns • yesterday at 5:24 PM
I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.
➕ show 2 replies
panzi • yesterday at 6:05 PM
Just wanted to write the same comment!
We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)
1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron