Last Updated: 12th September, 2019
Electron Framework Vulnerabilities: In several communication software, the Electron framework plays a major role – WhatsApp, GitHub, Skype and Slack to name just a few. It provides developers with the flexibility to develop a multitude of desktop applications with a single codebase as a cross-platform development platform.
Essentially, Electron Apps are becoming the de-facto standard in terms of desktop development because they allow a good chunk of the web application code to be reused. As mentioned earlier, some modern desktop applications such as Slack or VS Code are Electron apps. The major flaw with Electron apps, however, is that they are greatly exposed due to a lack of integrity protection.
Any attacker with access to the local filesystem can tamper with those applications and change their behavior; it is relatively simple to inject malicious code inside a legitimate application without triggering any warnings (the digital signature is not altered).
The vulnerability is part of the underlying Electron framework and allows for any malicious activity to be hidden within processes that appear to be harmless. During his demonstration, Tsakalidis was able to demonstrate a backdoored version of the Microsoft Visual Studio Code that sent out to a remote website with the contents of each code tab opened.
Whilst it would appear those remote attacks on Electron apps are not a current threat, there is certainly a backdoor threat to applications which could pass unperceived and enable attackers to perform a myriad of attacks – taking screenshots of the app, activating a webcam, and exfiltrate data such as credentials and personally identifiable information.
So how do you prevent all of this? Well, one way is for Electron to roll out a secure code signing process, but that is something that does not exist today. Application owners can minimize the impact of this backdoor, such as by putting in place a Content Security Policy that prevents attackers from directly sending exfiltrated data to a command and control (C2) server.
However, as Tsakalidis’ research showed, a CSP only blocks part of this exploit’s capabilities – it helps minimize data exfiltration but doesn’t prevent injections that enable keyloggers, taking screenshots, and access to a webcam.
As we see an increasing number of companies adopting Electron, it becomes increasingly important that organizations ensure that their applications cannot be tampered with. Developers of frameworks like Electron must take quick action to fix these backdoor of Electron Framework Vulnerabilities, but the stakes are too high for application owners to trust this alone.