Skype, Slack, other Electron-based apps can be easily backdoored
Changes to configuration files don’t change signature, can add malicious features.
By Sean Gallagher | August 8, 2019
The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft’s Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings.
…
While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows.
…
It’s not a bug, it’s a feature
The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications.
…
[Tsakalidis said that] in order to make modifications to Electron apps, local access is needed, so remote attacks to modify Electron apps aren’t (currently) a threat. But attackers could backdoor applications and then redistribute them, and the modified applications would be unlikely to trigger warnings—since their digital signature is not modified.
Read the full article here
