"So the only thing you need to do as an attacker is to find a way to invade your JavaScript within the webpage," Purani said. A common function for developers to use within Electron is to load remote content, which is one of multiple ways that Electrovolt was able to exploit Electron apps. While there is great power with Electron, there is also risk. "Just using HTML, JavaScript, and CSS you can ship an entirely cross platform native desktop application." "If you can build a website, then you can build a desktop application, that's the main concept behind Electron," Purani said. Electron enables developers to encapsulate web applications into a desktop app which is rendered using the Chromium web browser. Purani explained that Electron based apps have become increasingly common in recent years. The vulnerable applications included Microsoft Teams, VS Code, Discord, Mattermost, RocketChat, Notion and BaseCamp among others. "We were able to compromise 20 different electron applications, that are used by millions of people," Purani said.
#Rocketchat spy series
In a session at the DEFCON 30 security conference in Las Vegas, security researcher Aaditya Purani, detailed a series of vulnerabilities in Electron apps dubbed Electrovolt, that he and his team were able to discover over the course of a year of research. Electron is a widely used open source technology for building applications, making it a particularly lucrative attack target.
0 kommentar(er)
