"Remote Code Execution in Slack desktop apps" https://hackerone.com/reports/783877

This is why I refuse to use Slack, Discord, etc. in their native app versions – only in the browser. Browsers have gotten pretty good at sandboxing and auto-updating. Historically, Electron apps have demonstrated themselves to be good at neither.

With an Electron app, you're basically running a custom-made browser where the authors have to be trusted to get two aspects of security right – the web dev part, and the browser dev part.

If a website is insecure, worst case scenario (most of the time) is that an attacker can get access to that site's data. If an Electron app is insecure, worst case scenario is that the attacker gets full system access to do whatever they want. That's terrifying.

Some people prefer the Electron versions of apps because they like being able to press Alt-Tab instead of having to pin a browser tab. Or they like that it's better integrated into the system notifications. For me, this is a bad reason to compromise so much security (and performance as well – you're running a whole extra instance of Chromium).

Chrome is going the right direction with desktop PWAs, but I'm disappointed that so few apps have opted into it. On my work computer, there is literally one webapp I use on a regular basis that actually has a PWA version – Google Chat. I saved it as a desktop PWA, I get Alt-Tab, I get a separate window for it with its own app icon and everything, and yet it's still running the same old Chrome under the hood, with the same old security guarantees. It's a win-win for both UX and security.


@nolan I think any effort towards killing electron with fire is a good thing. In the mobile space the vast majority of apps seem to be little more than custom containers for web content made to deliberately circumvent security, privacy and user control. Electron seems almost deliberately designed to bring that evil practise to the desktop.

My main concern is that the big G seems to be the only significant player in desktop PWA and they shouldn't be trusted with setting standards by themselves.

Sign in to participate in the conversation

Hometown is adapted from Mastodon, a decentralized social network with no ads, no corporate surveillance, and ethical design.

<svg xmlns="http://www.w3.org/2000/svg" id="hometownlogo" x="0px" y="0px" viewBox="25 40 50 20" width="100%" height="100%"><g><path d="M55.9,53.9H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,53.9,55.9,53.9z"/><path d="M55.9,58.2H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,58.2,55.9,58.2z"/><path d="M55.9,62.6H35.3c-0.7,0-1.3,0.6-1.3,1.3s0.6,1.3,1.3,1.3h20.6c0.7,0,1.3-0.6,1.3-1.3S56.6,62.6,55.9,62.6z"/><path d="M64.8,53.9c-0.7,0-1.3,0.6-1.3,1.3v8.8c0,0.7,0.6,1.3,1.3,1.3s1.3-0.6,1.3-1.3v-8.8C66,54.4,65.4,53.9,64.8,53.9z"/><path d="M60.4,53.9c-0.7,0-1.3,0.6-1.3,1.3v8.8c0,0.7,0.6,1.3,1.3,1.3s1.3-0.6,1.3-1.3v-8.8C61.6,54.4,61.1,53.9,60.4,53.9z"/><path d="M63.7,48.3c1.3-0.7,2-2.5,2-5.6c0-3.6-0.9-7.8-3.3-7.8s-3.3,4.2-3.3,7.8c0,3.1,0.7,4.9,2,5.6v2.4c0,0.7,0.6,1.3,1.3,1.3 s1.3-0.6,1.3-1.3V48.3z M62.4,37.8c0.4,0.8,0.8,2.5,0.8,4.9c0,2.5-0.5,3.4-0.8,3.4s-0.8-0.9-0.8-3.4C61.7,40.3,62.1,38.6,62.4,37.8 z"/><path d="M57,42.7c0-0.1-0.1-0.1-0.1-0.2l-3.2-4.1c-0.2-0.3-0.6-0.5-1-0.5h-1.6v-1.9c0-0.7-0.6-1.3-1.3-1.3s-1.3,0.6-1.3,1.3V38 h-3.9h-1.1h-5.2c-0.4,0-0.7,0.2-1,0.5l-3.2,4.1c0,0.1-0.1,0.1-0.1,0.2c0,0-0.1,0.1-0.1,0.1C34,43,34,43.2,34,43.3v7.4 c0,0.7,0.6,1.3,1.3,1.3h5.2h7.4h8c0.7,0,1.3-0.6,1.3-1.3v-7.4c0-0.2,0-0.3-0.1-0.4C57,42.8,57,42.8,57,42.7z M41.7,49.5h-5.2v-4.9 h10.2v4.9H41.7z M48.5,42.1l-1.2-1.6h4.8l1.2,1.6H48.5z M44.1,40.5l1.2,1.6h-7.5l1.2-1.6H44.1z M49.2,44.6h5.5v4.9h-5.5V44.6z"/></g></svg>