Because of its cross-platform capabilities, Electron development platform is a key component for many applications. Is used for Skype, WhatsApp and Slack and other popular messaging applications based on JavaScript and Node.js of Electron, even for Microsoft Visual Studio Code development tools. Electron but also a security risk, because it's based application can easily be modified and implanted back door - without triggering any warnings.
In BSides LV security conference on Tuesday, security researcher Pavel Tsakalidis demonstrates the use Python developed a tool he created BEEMKA , this tool allows extracting Electron ASAR archive file and inject new code into JavaScript library and built-in Chrome browser extension. Security researcher said he does not exploit vulnerabilities in applications, and the underlying framework Electron application use. Electron Tsakalidis said he contacted but did not get a response, and this vulnerability still exists.
Although these changes need administrator access on Linux and macOS, but on Windows only local access is needed. These modifications can create new event-based "feature", you can access the file system, activate Web cam, and the use of trusted applications feature leaked from the system information (including user credentials and sensitive data). In his presentation, Tsakalidis shows a backdoor version of Microsoft Visual Studio Code, send the contents of each code will open the tab to the remote site .
Tsakalidis 指出,问题在于 Electron ASAR 文件本身未加密或签名,允许在不更改受影响应用程序的签名的情况下对其进行修改。开发人员要求拥有加密 ASAR 文件权限的请求被 Electron 团队关闭,但他们也没有采取任何行动。