Site icon API Security Blog

Renderers can obtain access to random bluetooth device without permission in Electron

Impact This vulnerability allows renderers to obtain access to a random bluetooth device via the web bluetooth API if the app has not configured a custom select-bluetooth-device event handler. The device that is accessed is random and the attacker would have no way of selecting a specific device. All current stable versions of Electron are affected. Patches This has been patched and the following Electron versions contain the fix: * 17.0.0-alpha.6 * 16.0.6 * 15.3.5 * 14.2.4 * 13.6.6 Workarounds Adding this code to your app can workaround the issue. js app.on('web-contents-created', (event, webContents) => { webContents.on('select-bluetooth-device', (event, devices, callback) => { // Prevent default behavior event.preventDefault(); // Cancel the request callback(''); }); }); For more information If you have any questions or comments about this advisory, email us at…

Exit mobile version