Presentation Material
Abstract
Electron based apps are becoming a norm these days as it allows encapsulating web applications into a desktop app which is rendered using chromium. However, if Electron apps load remote content of attackers choice either via feature or misconfiguration of Deep Link or Open redirect or XSS it would lead to Remote Code Execution on the OS.
Previously, it was known that lack of certain feature flags and inefficiency to apply best practices would cause this behavior but we have identified novel attack vectors within the core electron framework which could be leveraged to gain remote code execution on Electron apps despite the feature flags being set correctly under certain circumstances. This presentation covers the vulnerabilities found in twenty commonly used Electron applications and demonstrates Remote Code Execution within apps such as Discord, Teams (local file read), VSCode, Basecamp, Mattermost, Element, Notion, and others.
AI Generated Summarymay contain errors
This is a transcript of a security researcher’s talk about exploiting Electron applications. Here’s a summary:
The speaker explains how they used V8 exploits to bypass Node.js integration in subframes and disable context isolation, allowing them to access the main process and execute arbitrary code. They demonstrate two exploits: one using a Node.js integration exploit and another using a context isolation exploit.
In both cases, the attacker creates an iframe with Node.js integration enabled, allowing them to access the window.electron.send function and send IPC messages to the main process. This allows them to execute arbitrary code, including popping a calculator.
The speaker notes that Electron applications often have a noticeable patch gap between Chrome and Electron versions, making them vulnerable to known V8 exploits. They recommend updating Electron applications regularly, enabling security flags, mitigating web application security vulnerabilities, and avoiding sensitive IPC implementations.
The talk concludes with the speaker mentioning that they were able to achieve remote code execution in 20 different Electron applications using these exploits.