Skype, Slack, Other Electron-Based Apps Can Be Easily Backdoored (arstechnica.com) 82
An anonymous reader quotes a report from Ars Technica: The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings. At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework -- and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response -- and the vulnerability remains.
While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website. The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.
While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based "features" that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications -- including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website. The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.
It's JavaScript, duh! (Score:3, Insightful)
Re: (Score:3, Insightful)
JavaScript is just a language, and this kind of vulnerability can exist (and has been found) in similar frameworks written in other languages.
The solution is to know what's in the package, and typically it's by computing one or more hashes of the content and then transmitting the hash(es) securely, which is then typically solved with digital signatures and kicking the hash verification problem down the road to become a CA trust problem, which itself can be implemented badly and cause more vulnerabilities.
Go
Re:It's JavaScript, duh! (Score:5, Informative)
The issue seems to be another one of the new kids thinking they can do things better than their predecessors, and ignoring the lessons from history.
Re: (Score:3)
not learning from history due to ignorance or arrogance?
Re: It's JavaScript, duh! (Score:3)
Re: (Score:2)
More to the point, it was solved by Java, .NET and other platforms for downloadable code already
I hardly consider the walled garden approach as the problem being "solved". To solve a problem you shouldn't introduce another problem.
Re: (Score:2)
These are not walled gardens (or, perhaps, they are make-your-own garden walls), merely a properly-signed distribution method. It's up to you whose certs you want to trust. .Net worked this out long ago for "click to download" apps, which gave reasonable security for easy web-based distribution of software on your intranet for your horrible internal business apps (are there any other kind?).
Re:It's JavaScript, duh! (Score:5, Informative)
Re: (Score:3)
Re: (Score:1)
It doesn't need access to your pc, physical access, it's "local" access = "userland" access remotely, as opposed to "Administrator" or "root" access in the other OS's. You misread, it was unclear, but you misread 177 12 1L 3 3 7!
Re: (Score:1)
And that's only to modify the JS on YOUR MACHINE - it can be done on anyone in the group with file access that you then access, that's the point. Once the payload is in there it's js running on your machine on access.
Can that directly translate into dropping a troj? Yes.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
My first reaction also. What did they expect?
Being so blatant, it damn near seems intentional.
Re: (Score:2)
Re: It's JavaScript, duh! (Score:1)
Itâ(TM)s not a surprise. The same problem exists in WASM (webassembly)
The problem is that you can unpack all CEF or NW.JS programs, change the JS itself and the app will just trust it. The OSâ(TM)s signing only applies to the EXE, and if that app already has net access (Spotify,slack,etc) then it has a back door into your system.
And AV products can not detect it, as they donâ(TM)t scan JavaScript as part of packages in CEF or Nw.js
Re: (Score:2)
Microsoft claimed to spend an obscene amount of money rewriting Skype.
No wonder it went from being a more-or-less usable app to a steaming pile of horseshit that sucks monkey dicks.
Re: (Score:2, Informative)
I'm confused by this (Score:1)
Couldn't you do this to most software? Also couldn't you just do a CRC check to deal with this issue?
Re: (Score:2)
> Couldn't you do this to most software?
Yes. The article blows this out of proportion as this is nothing new.
> Also couldn't you just do a CRC check to deal with this issue?
Yes, but that is only a temporary setback. What's to stop a hacker from modifying the CRC? :-)
Subresource Integrity (SRI) (Score:2)
Subresource Integrity (SRI) effectively is a CRC...
https://github.com/zkat/ssri
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
answers....
Re: (Score:2)
I had to write a 64-bit crc class in c++ in the oughts to create unique crcs to create unique identifiers for datasets exceeding the 4 billion unique elements limit. Why not use another technique
Re: (Score:1)
A 64-bit crc is a lot harder to get an altered file to match.
It's O(1), just like any other CRC.
Just modify a few bytes until you get another match, something a computer is good at calculating. 64 bits is a much bigger search space.
CRC. IS. LINEAR.
You can simply *calculate* a value to XOR with your padding bits to get the desired result.
The only requirement is to have a modifiable bit in every position modulo the length of the checksum.
Why not use another technique? Because crcs are FAST.
Integer addition is even faster. And just as "secure" against tampering.
Still, with advances in hardware, probably have to step up to 128-bit crcs for detecting altered files
I'd be more worried about incompetent developers. Like the kind that believes a linear checksum is the right tool to detect deliberate modification...
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Naw come on dawg, just trust the md5 hash, how many times have I lied to you? You know me! Always true love baby. #Trusted computing
Re: (Score:2)
Call me a dinosaur if you want, but I think this push to make every platform use HASH based code authentication is misguided. Shouldn't we, just maybe, consider the local / remote boundary to be important and guard it carefully?
To me constant software CRC checks seem more aimed down the road of DRM where someone besides you is trying to control your computer from afar.
Re: I'm confused by this (Score:1)
Re: (Score:2)
All hail our already incumbent app store overlords!
Re: (Score:2)
Couldn't you do this to most software?
Absolutely. Letting attackers get local access is and always has been a bad thing. Some OS providers (or did) claim that local access can almost always be escalated to root because operating systems are complicated.
The waters are just muddy nowadays because when the producers are attackers trying to control you and lock you out of your own computer then things become a complicated little war zone on every machine.
But none of this is novel. We've known all this for years. Javascript, executables, byte co
it only requires local access on Windows... (Score:3)
Re: (Score:2)
Re: (Score:1)
"Local access" vs "administrator" or "root" or "$user" it's not really the main thrust of the vuln, "User" vs "administrator" on windows is an old dead horse anyway.
This was just one poc and demonstration. If ASAR's are unsigned js that runs anything at all there are ways to get in there and drop whatever. This is one way, it requires root - somewhere, anywhere, anyone in the cloud user pool w/ access.
Then the payload is in there and everyone is going to run it when they access it. Because. It's. Unsig
Re: (Score:3)
Re: (Score:1)
Please don't summon him, we're out of mod points already.
Frost piss? (Score:4, Funny)
Trolling on Slashdot has taken a real nosedive in recent years. Netcraft confirms it. There's almost never a goatse (even when the story is about backdoors), penis bird is pinin' for the fjords, and the hot grits have long since gone cold. With the rise of the alt-right, however, racist trolling seems to be on the rise, so that's good news if you have GNAA stock in your portfolio.
And whom are all the bases belonging nowadays? Natalie Portman? Will she tries to make them run Linux and try make a boewulf cluster out of them?
Or is she too busy waiting for the true release of Duke Nukem Forever?
I, for one, need to know which overlord I need to welcome!
Seems like scaremongering (Score:2, Interesting)
I'm not a software developer, I'm a user. But it seems to me like this stuff crops up 3 times a day.
"This app you use all the time can be easily taken over!" "This thing you use a lot has these major vulnerabilities that are easy to hack!"
It seems to me that "easy" is entirely dependent on the skill and knowledge set of hte hacker, and also is highly dependent on the opinion of the engineer writing these articles. After a time, the warning seems like overreacting and hype to the layman like me.
it only requires local access on Windows (Score:3)
That sounds like an issue with the OS not the application?
Old vulnerability (Score:1)
Seriously the BEEKMA tool is like 6 months old the underlying vulnerability had been around for a while before that. How is this news to anyone
JS is insecure. News at 11 (Score:2)
Ok, the actual news is that someone figured out the way that everyone knew would have to be there, but honestly. Seriously. The JS landscape being what it is, and Node.js in there - offer me a bet that this is not the last finding. Please?
Re: (Score:2)
Re: (Score:2)
If you think that security has nothing to do with programming languages, you have a lot more to do than just brushing up.
request closed without comment (Score:5, Interesting)
Does anybody have any more information why the electron devs decided to just close the request to add encryption without explaining why they will not implement it?
Remember when Skype was point to point? (Score:3)
Then for some reason E-Bay bought them for no obvious reason, and they never implemented any integration since the last thing vendors on E-Bay want is customers being able to call them? But for some reason now all Skype calls were routed through the US...
Non-news (Score:1)
The problem is not in Electron.
The problem is that windows, mac and linux are not sandboxed..
This is why (Score:1)
Don't use electron for anything, then, until it's been packaged.