Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Software

Researchers Find Vulnerability In Software Underlying Discord, Microsoft Teams, and Other Apps (vice.com) 23

An anonymous reader quotes a report from Motherboard: A group of security researchers found a series of vulnerabilities in the software underlying popular apps like Discord, Microsoft Teams, Spotify and many others, which are used by tens of millions of people all over the world. At the Black Hat cybersecurity conference in Las Vegas on Thursday, the researchers presented their findings, detailing how they could have hacked people who use Discord, Microsoft Teams, and the chat app Element by exploiting the software underlying all of them: Electron, which is a framework built on the open source Chromium and the cross-platform javascript environment Node JS. In all these cases, the researchers submitted vulnerabilities to Electron to get them fixed, which earned them more than $10,000 in rewards. The bugs were fixed before the researchers published their research.

Aaditya Purani, one of the researchers who found these vulnerabilities, said that "regular users should know that the Electron apps are not the same as their day-to-day browsers," meaning they are potentially more vulnerable. In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, hackers would have been able to take control of their computers, Purani explained in the talk. For him, one of the main takeaways of their research is that Electron is risky precisely because users are very likely to click on links shared in Discord or Microsoft Teams.

This discussion has been archived. No new comments can be posted.

Researchers Find Vulnerability In Software Underlying Discord, Microsoft Teams, and Other Apps

Comments Filter:
  • Chrome/Chromium is the new IE. We'll be dealing with it for a long time. The most used thing is also the most attacked thing.

  • by 93 Escort Wagon ( 326346 ) on Thursday August 11, 2022 @07:36PM (#62782186)

    Apps built on Electron suck equally across every platform.

    And they found a vulnerability in node.js? I am shocked. Shocked! A feather just hit me and I fell right over!

    • Yeah. Once we started letting bloody graphic designers write desktop apps instead of the guard who basically dreamed in C++ and actually knew how memory buffers worked etc, we kind of landed in a situation where THIS sort of nonsense is actually innevitable.

  • by marcle ( 1575627 ) on Thursday August 11, 2022 @07:37PM (#62782188)

    Endless libraries and frameworks calling other libraries and frameworks, many of them open source and poorly maintained -- what could possibly go wrong?

    • Re:No surprise (Score:4, Insightful)

      by Narcocide ( 102829 ) on Thursday August 11, 2022 @07:42PM (#62782208) Homepage

      JavaScript was a mistake.

      • by Revek ( 133289 )
        Like flash and whatever comes after JS.
      • I find the language to be a mess but it could be tolerated for what was used in the beginning: Short segments of code to add some interactivity to websites. As a tool to write large apps? Yeah, I don't think it's suited to it.
        But we live in the era where the browser is the universal runtime and people capable of developing on the web stack are plentiful ...so we ended where we are.
    • Re:No surprise (Score:4, Insightful)

      by keithdowsett ( 260998 ) on Friday August 12, 2022 @03:17AM (#62782808) Homepage

      Welcome to the world of 2020's software development.

      1) Design project (optional)
      2) Munge together a bunch of libraries on AWS until it looks like it might work
      3) Add a GUI (more libraries)
      4) Port to Android and Apple phones (more libraries)
      5) Release the code waay before it's ready (obligatory)
      6) Waste a heap of cash on Tiktok advertising (obligatory)
      7) Profit (optional)
      8) Sell the whole heap of crap to venture capitalists for a stupid amount of money

      But seriously, from an project perspective it makes sense to use libraries to perform as many functions as possible. That way instead of re-inventing the wheel you can focus on developing core functionality. There's no prospect of a project team auditing all the libraries they use, let alone all their dependencies. That would waste thousands of man-hours.

      So for purely financial reasons we're reliant on the white hat community finding these obscure bugs before the brown hatters exploit them. That's just life in the 2020's

    • ...many of them open source and poorly maintained -- what could possibly go wrong?

      As opposed to closed source and poorly maintained?

  • One nit to pick (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Thursday August 11, 2022 @07:44PM (#62782212)

    "In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting."

    These are not completely accurate statements, given the very next sentence says the receiver needs to click on the links in order to be exploited. So basically it's yet another social engineering attack, and more evidence that educating end users is crucially important.

    • by splutty ( 43475 ) on Thursday August 11, 2022 @07:53PM (#62782240)

      Teams and Discord however are exactly the kind of platforms where users *will* click that link.

      So yes, it's social engineering, but in this case it's also kind of shooting fish in a barrel.

    • by La Gris ( 531858 )

      "In the case of Discord, the bug Purani and his colleagues found only required them to send a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting."

      These are not completely accurate statements, given the very next sentence says the receiver needs to click on the links in order to be exploited. So basically it's yet another social engineering attack, and more evidence that educating end users is crucially important.

      How do you know that your long time friend you trust, has had his own device compromised, and anything he posts is silently injected with exploits for those vulnerabilities and you must refrain from clicking on links, even those from your trusted long time friend?

      I don't think any level of awareness can protect your from this.

    • Yes, people are stupid.

      To be fair, that's not the "right" way to exploit this. Instead, you spear-phish someone mid-level in a company and gain access to their Teams/Discord. Then you send the invite/video link to someone you really want to target, like the CEO. Now you control that person's computer. My point being that "unknown sources" isn't the likely use case.

news: gotcha

Working...