Introduction Hello, I’m RyotaK (@ryotkak ), a security engineer at GMO Flatt Security Inc. A while ago, I reported a remote code execution vulnerability that chains multiple problems in Chatwork, a popular communication tool in Japan. In the report that I sent to the bug bounty platform, I used an obsolete feature of Electron to escalate to the preload context. As the vulnerability was interesting, I’m writing this article to share the details of it.| GMO Flatt Security Research
On February 6, 2024, a security researcher alerted us of a potential security issue with Zettlr version 3.0.3 and below. On February 7, we fixed this very issue with the release of Zettlr version 3.0.4, shortly followed by 3.0.5. In this postmortem, we want to inform you about what even happened, whether you have been affected, and what we have learned so far.| Zettlr
YAML history changes: - pr-url: https://github.com/electron/electron/pull/40330 description: "ipcRenderer can no longer be sent over the contextBridge" breaking-changes-header: behavior-changed-ipcrenderer-can-no-longer-be-sent-over-the-contextbridge| www.electronjs.org
Communicate asynchronously from a renderer process to the main process.| www.electronjs.org
Migrating Visual Studio Code to Electron process sandboxing| code.visualstudio.com