News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Skype, Slack, other Electron-based apps can be easily backdoored

    Home Forums Code Red – Security/Privacy advisories Skype, Slack, other Electron-based apps can be easily backdoored

    This topic contains 0 replies, has 1 voice, and was last updated by  Kirsty 1 week, 4 days ago.

    • Author
      Posts
    • #1906856 Reply

      Kirsty
      Da Boss

      Skype, Slack, other Electron-based apps can be easily backdoored
      Changes to configuration files don’t change signature, can add malicious features.

      By Sean Gallagher | August 8, 2019

       
      The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft’s Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings.

      While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows.

      It’s not a bug, it’s a feature
      The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications.

      [Tsakalidis said that] in order to make modifications to Electron apps, local access is needed, so remote attacks to modify Electron apps aren’t (currently) a threat. But attackers could backdoor applications and then redistribute them, and the modified applications would be unlikely to trigger warnings—since their digital signature is not modified.

       
      Read the full article here

      1 user thanked author for this post.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Skype, Slack, other Electron-based apps can be easily backdoored

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.