Tsakalidis showed how the lack of basic encryption for Electron code leaves users vulnerable to hackers who inject back-door code into their sessions, which exposes their communications, filesystem, and cameras and mics to third parties.
These changes are harder to make in Macos or GNU/Linux systems (where admin access is required), but Windows systems are wide open.
To make things worse, Electron’s team had previously rejected a user request for encryption to protect its files, and when Tsakalidis presented his work to them, they ignored him.
Tsakalidis has released a proof-of-concept tool called BEEMKA, a small Python program that can open Electron ASAR archive files and insert exploit code into them, exploiting apps and Chrome plugins built in the framework.
Tsakalidis said that in order to make modifications to Electron apps, local access is needed, so remote attacks to modify Electron apps aren’t (currently) a threat. But attackers could backdoor applications and then redistribute them, and the modified applications would be unlikely to trigger warnings—since their digital signature is not modified.
Skype, Slack, other Electron-based apps can be easily backdoored [Sean Gallagher/Ars Technica]
Basic Electron Framework Exploitation [Pavel Tsakalidis/Context]
IBM’s ridiculously named X-Force Red have documented a new attack vector they’ve dubbed “Warshipping”: they mailed a sub-$100 custom, wifi-enabled low-power PC with a cellular radio to their target’s offices.
At this year’s Defcon Lock Picking Village, Ioactive’s Mike Davis will present a method for cracking high-security locks made by Dormakaba Holding, a Swiss company. The locks are used in very high-stake applications, from security ATMs to Air Force One, as well as guarding classified and sensitive materials on US military bases.
The Lock Picking Lawyer is one of my favorite YouTubers, and he’s spreading his wings beyond the usual fare of dreadful padlocks and crap safes. Here he shows how to use a $2 generic remote control to “blind” SimpliSafe, a security gadget that’s getting rave reviews from product testers. This however is a little 433 […]
In the market for a workhorse laptop for the upcoming school year? Refurbished gear is the way to go. Here are some of our favorite deals on like-new laptop rigs and PCs. Lenovo N22 11.6″ Chromebook 16GB Black (Certified Refurbished) This rig is great for working at home or away, with a 14-hour battery life […]
Cloud storage isn’t just for big businesses. If you’ve got more pictures, videos or work files than your device can handle (and who doesn’t?), then the cloud is where it needs to be. Luckily, there are more options for you than just Dropbox these days. Here’s a roundup of some newer services that can help […]
Your binge-watching options just got a lot more interesting. Get ready to be the first choice venue for movie night, because there’s a giveaway right now on a Samsung 65″ QLED 4K Smart TV. Size isn’t quite everything for this theater-quality set, though it is impressive. The Q70 series TV is able to upscale even […]