Serious security hole found in Electron framework, Electron app's can be easily backdoored

; Date: Wed Aug 07 2019

An attacker that can gain access to a machine can easily patch an Electron application to run bad code that does bad things. The problem is Electron does not secure the contents of ASAR files, and they can be easily opened and modified.

The exploit was reported by Pavel Tsakalidis back in January. It involves unpacking, and modifying, the ASAR files comprising an Electron application. The modifications can easily contain any kind of badness, such as uploading data to a 3rd party server.

In many cases Electron app's are installed in a way that requires elevated permissions (a.k.a. Administrator) to modify files comprising the app. In some cases that's not the case, and normal joe-blow user permissions are required.

The attack involves unpacking files like app.asar which is located in the resources directory of the installed application.

Details are shown at the above link.

Since the problem is in the Electron framework, it is the Electron team that must fix this. An application designer can take a few steps such as:

Make sure you use CSP meta tags in your index.html file.
Implement and use WebViews were possible.

What the Electron team should do is implement encryption of the ASAR files.

About the Author(s)

David Herron : David Herron is a writer and software engineer focusing on the wise use of technology. He is especially interested in clean energy technologies like solar power, wind power, and electric cars. David worked for nearly 30 years in Silicon Valley on software ranging from electronic mail systems, to video streaming, to the Java programming language, and has published several books on Node.js programming and electric vehicles.

In Jenkins, automatically test an npm package, then publish if tests succeed How to create a copy-on-write clone of a file in Node.js