"Remote Code Execution in Slack desktop apps" https://hackerone.com/reports/783877
This is why I refuse to use Slack, Discord, etc. in their native app versions – only in the browser. Browsers have gotten pretty good at sandboxing and auto-updating. Historically, Electron apps have demonstrated themselves to be good at neither.
With an Electron app, you're basically running a custom-made browser where the authors have to be trusted to get two aspects of security right – the web dev part, and the browser dev part.
If a website is insecure, worst case scenario (most of the time) is that an attacker can get access to that site's data. If an Electron app is insecure, worst case scenario is that the attacker gets full system access to do whatever they want. That's terrifying.
Some people prefer the Electron versions of apps because they like being able to press Alt-Tab instead of having to pin a browser tab. Or they like that it's better integrated into the system notifications. For me, this is a bad reason to compromise so much security (and performance as well – you're running a whole extra instance of Chromium).
@nolan I think any effort towards killing electron with fire is a good thing. In the mobile space the vast majority of apps seem to be little more than custom containers for web content made to deliberately circumvent security, privacy and user control. Electron seems almost deliberately designed to bring that evil practise to the desktop.
My main concern is that the big G seems to be the only significant player in desktop PWA and they shouldn't be trusted with setting standards by themselves.
Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.