September 22, 2020

Electron-based apps are easily modified and implanted the backdoor

1 min read

Due to its cross-platform capabilities, the Electron development platform is a key component of many applications. Electron-based on JavaScript and Node.js is used in popular messaging applications such as Skype, WhatsApp and Slack, and even in Microsoft’s Visual Studio Code development tools. But Electron also poses a safety hazard, because of it easy to modify to implant backdoor.

At the BSides LV security conference, security researcher Pavel Tsakalidis demonstrated a Python-based tool, BEEMKA, which allows extracting Electron ASAR archive files and injecting new code into JavaScript libraries and built-in Chrome browser extensions.

The vulnerability is not in the application but in the underlying framework Electron used by the application. Tsakalidis said he contacted Electron but did not receive a response.

Via: arstechnica