Someone should point out --- and it should have occurred to me earlier to look into this and point it out myself, and I should catch some flack for that --- that the Trustwave bug is situational, but is reported as if it impacts all Electron applications.
In fact, a good number of Electron apps, including Signal and Slack, are confirmed not vulnerable to this particular bug, despite the misleading way the report was written. (There's another bug being talked about which is adding to the confusion).
The authors of this report should update it to clarify, rather than simply naming the most popular Electron apps as a means of whipping up attention.
They don't really say that but I'm in violent agreement they should have been much more clear and explicit. At the same time, you were just talking about a BlackHat presentation which you feel didn't get sufficient attention, possibly due to a lack of awareness the tech in question is at the core of a bunch of popular apps. The presentation mentions no specific apps at all. So this thing seems like a bit of threading that needle poorly and also some bad timing. It's not like they bought the domain jitterbugdoor.exposed and splattered 'Signal Degradation through Electron Degeneracy Pressure' across it.
The security story on Electron is pretty grim; it's an environment where you can plausibly say that DOM injection (cross-site scripting) is equivalent to RCE. Luca Carretoni broke this news last year at Black Hat, but didn't seem to get too much attention (I don't think many security people knew what a big deal Electron was in the dev community).
I wonder how widespread the issue might actually be, given the description at the end:
"
can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3) , and hasn't manually opted into one of the following:
* Declared webviewTag: false in its webPreferences.
* Enabled the nativeWindowOption option in its webPreferences.
* Intercepting new-window events and overriding event.newGuest without using the supplied options tag.
"
In fact, a good number of Electron apps, including Signal and Slack, are confirmed not vulnerable to this particular bug, despite the misleading way the report was written. (There's another bug being talked about which is adding to the confusion).
The authors of this report should update it to clarify, rather than simply naming the most popular Electron apps as a means of whipping up attention.