On the Electron, platform for application developers, have been found new security issues.
This time, vulnerabilities allow including a backdoor in such popular applications as Skype and Slack.The Electron framework is a key link in many popular applications, mainly due to its cross-platform capabilities. It is used by the developers of Skype, WhatsApp and Slack.
At BSides LV’s security conference, expert Pavel Tsakalidis demonstrated his own tool called BEEMKA.
BEEMKA is written in Python and allows to unpack Electron – ASAR archive files.
Read also: A bug in the IoT camera allowed listening on its owners
Using this tool, Tsakalidis was able to inject new code into the Electron JavaScript libraries. Thus, he opened up the possibility of injecting malicious capabilities into popular communication programs.
“This attack doesn’t exploit any vulnerabilities in the applications, but instead it leverages Electron’s architecture which means that in order to exploit this the attacker will need to have write access to the application’s installation folder”, – said Pavel Tsakalidis.
According to Tsakalidis, he tried to contact Electron representatives about the vulnerabilities found, but he did not receive a response.
Using the embedded malicious code, you can access the file system, activate the webcam and extract confidential information. And all this under the mask of legitimate applications.
The researcher published a video in which you can get acquainted with the essence of the security problem:
Recommendation
If you are using an application written in Electron (and you probably are):
- Make sure you update your applications frequently. When an application is updated, electron.asar is usually replaced with a clean version – removing any backdoors.
- Install applications as a high privileged user (ie in “Program Files”) and use them as a low privileged user. To exploit this vulnerability, the attacker would not only have to gain access to your host but would have to elevate their privileges to that of an administrator as well.
If you are developing an application in Electron:
- Make sure you use CSP meta tags in your index.html file.
- Implement and use WebViews were possible.