Serious security hole found in Electron framework, Electron app's can be easily backdoored

; Date: August 7, 2019

Tags: Node.JS »»»» Electron

An attacker that can gain access to a machine can easily patch an Electron application to run bad code that does bad things. The problem is Electron does not secure the contents of ASAR files, and they can be easily opened and modified.

The exploit was reported by (www.contextis.com) Pavel Tsakalidis back in January. It involves unpacking, and modifying, the ASAR files comprising an Electron application. The modifications can easily contain any kind of badness, such as uploading data to a 3rd party server.

In many cases Electron app's are installed in a way that requires elevated permissions (a.k.a. Administrator) to modify files comprising the app. In some cases that's not the case, and normal joe-blow user permissions are required.

The attack involves unpacking files like app.asar which is located in the resources directory of the installed application.

Details are shown at the above link.

Since the problem is in the Electron framework, it is the Electron team that must fix this. An application designer can take a few steps such as:

  • Make sure you use CSP meta tags in your index.html file.
  • Implement and use WebViews were possible.

What the Electron team should do is implement encryption of the ASAR files.