This week at B-Sides LV, security researcher Pavel Tsakalidis presented his work on security defects in the Electron framework, a cross-platform development framework that combines Javascript with Node.js: apps built with Electron include Skype, Slack, Whatsapp, Visual Studio Code and others.
Tsakalidis showed how the lack of basic encryption for Electron code leaves users vulnerable to hackers who inject back-door code into their sessions, which exposes their communications, filesystem, and cameras and mics to third parties.
These changes are harder to make in Macos or GNU/Linux systems (where admin access is required), but Windows systems are wide open.
To make things worse, Electron's team had previously rejected a user request for encryption to protect its files, and when Tsakalidis presented his work to them, they ignored him.
Tsakalidis has released a proof-of-concept tool called BEEMKA, a small Python program that can open Electron ASAR archive files and insert exploit code into them, exploiting apps and Chrome plugins built in the framework.
Code inserted into the ASAR can run either within the application's context or within the context of the Electron framework itself. Application code is "plain old JavaScript," Tsakalidis explained, capable of calling Electron's operating-specific modules—including microphone and camera controls, as well as operating system interfaces. Code injected into Electron's internal Chrome extensions can allow attackers to bypass certificate checks, so that, while code may still force communications over HTTPS, an attacker can use a self-signed certificate on a remote system for exfiltration. And Web communications can be altered or completely blocked—including applications' updating features, which would prevent new versions from being automatically installed, displacing the backdoored application.Tsakalidis said that in order to make modifications to Electron apps, local access is needed, so remote attacks to modify Electron apps aren't (currently) a threat. But attackers could backdoor applications and then redistribute them, and the modified applications would be unlikely to trigger warnings—since their digital signature is not modified.
Skype, Slack, other Electron-based apps can be easily backdoored [Sean Gallagher/Ars Technica]
Basic Electron Framework Exploitation [Pavel Tsakalidis/Context]