; Date: August 7, 2019
The exploit was reported by Pavel Tsakalidis back in January. It involves unpacking, and modifying, the ASAR files comprising an Electron application. The modifications can easily contain any kind of badness, such as uploading data to a 3rd party server.
In many cases Electron app's are installed in a way that requires elevated permissions (a.k.a. Administrator) to modify files comprising the app. In some cases that's not the case, and normal joe-blow user permissions are required.
The attack involves unpacking files like
app.asar which is located in the
resources directory of the installed application.
Details are shown at the above link.
Since the problem is in the Electron framework, it is the Electron team that must fix this. An application designer can take a few steps such as:
- Make sure you use CSP meta tags in your index.html file.
- Implement and use WebViews were possible.
What the Electron team should do is implement encryption of the ASAR files.