I would like to see all "desktop" applications that use Electron listed and how big of a Chromium drift is there, especially how many applications are shipping runtimes with unfixed vulnerabilities.

▲

waitwhatwhoa 3 hours ago | parent | next [-]

We did a study of this a few years ago[1] and the code for the instrumentation is available on github[2], the data is dated but you can see a cross section of popular apps and how far behind they were lagging over a 3 year period on page 11 of the pdf. Re: child comment, our main concern in this research was patched vulnerabilities persisting in electron apps and how damaging that could be. Details in the paper :)

1. https://www.usenix.org/system/files/usenixsecurity24-ali.pdf 2. https://github.com/masood/inspectron

▲

captn3m0 3 hours ago | parent | prev | next [-]

I've been working on this over the years. WIP is here: https://github.com/captn3m0/electron-survey, and it doesn't look good.

I keep getting distracted by side-quests. The last one was building an Electron Zoo, and the current one is doing accurate SBOMs for each electron version.

▲

nicoburns 4 hours ago | parent | prev | next [-]

I imagine that looks pretty bad. On the other hand, Electron apps often aren't running untrusted code, which makes it quite a bit harder to exploit.

	▲	nolist_policy 2 hours ago \| parent \| next [-]
		Yep. JavaScript VM breakout, Sandbox breakout and spectre/meltdown side channel leaks are all tracked as vulnerabilities towards Electron while ordinary apps don't even have such security features.
	▲	josefx 3 hours ago \| parent \| prev [-]
		Didn't some get exploited early on because electron made it trivial to load third party websites without any kind of XSS protection?

▲

panzi 3 hours ago | parent | prev [-]

Just wanted to write the same comment!