Electron Application Attacks: No Vulnerability Required
While you may have never heard of “Electron applications,” you most likely use them. Electron technology is in many of today’s most popular applications, from streaming music to messaging to video conferencing applications. Under the hood, Electron is essentially a Google Chrome window, which developers can modify to look however they prefer. Since Chrome is available on mostly all platforms — Windows, Linux, and Mac OS — once developers create applications, they will work just about everywhere.
Because of their widespread use in the consumer and business worlds, Electron applications can be a top target of attackers. And they may not require a vulnerability to exploit. As we have seen in the headlines, compromising Electron applications may simply require an inexpensive cookie purchase coupled with a phishing message to an unsuspecting employee.
The impact of an Electron application compromise can be devastating, which is why X-Force Red hacker Ruben Boonen (@FuzzySec) researched them a bit more.
Abby: Thank you for speaking with me today, Ruben. You mentioned you had wanted to research Electron applications because of their widespread use. What also made you want to dig into them further, especially considering you perform red team engagements for companies worldwide?
Ruben: I find Electron applications interesting, Abby, because of their widespread use, but also because of their less stringent login requirements. After the first-time logging into one these applications, it may not ask you to enter in your login credentials for another month (or longer). The application automatically logs you in, which means your computer can access any information, conversation, etc. that is on the platform. The application knows how to authenticate already without the user’s intervention. I wanted to see how that worked, mainly because I could use the findings for our adversary simulation engagements.
Abby: Where did you start your research process?
Ruben: Since the Electron platform is built on Google Chrome, public research exists already about how sessions are managed in the browser. Electron technology doesn’t operate exactly like the Chrome web browser. It operates differently. I dug into the known research about how it works, and that gave me the knowledge to figure out how Electron applications were automatically logging in users without requiring credentials. Using that knowledge, I built a tool aimed to attack a common messaging platform. We are incorporating the tool into our adversary simulation engagements to help companies find and fix gaps in their incident response processes.
Abby: From an attacker’s point of view, you wouldn’t need a vulnerability to exploit to compromise an Electron application, right?
Ruben: That’s correct. These are not vulnerabilities in the applications. It’s just the way Chrome session storage work. If I were an attacker and had access to your computer, I could pretend to be you on the application. I could extract your authentication information and pretend to be you, sitting at your desk. I could write to one of your peers, “Hey, I have a problem. Can you help me reset my password?” On red team engagements, we don’t have visual access to machines; we only have command line interface access. So, we phish people to gain access to their machines, and then use our custom-built tools to perform attacks against their applications, including Electron applications.
Abby: I understand you only use these techniques to help companies fortify their defenses, but if you were an attacker, what could you do after leveraging an Electron application’s automated login capabilities?
Ruben: If attackers can impersonate you, then they can access any data that is in the application. They can, for example, read your messages, send messages, download files that were shared on the platform, and conduct more attacks that would enable them to pivot onto the company’s network.
Abby: So, what can companies do to prevent these kinds of attacks? Since it’s not a vulnerability problem, I assume it’s more of a settings fix?
Ruben: This isn’t a problem with the Electron platform. It works as intended. I recommend companies limit the time applications don’t ask for users’ passwords. Some of these platforms ask you to enter in your credentials every few days. The more you can require users to enter their login information, without it burdening their every-day workload, the better. Companies should also collect logs. Most people log into these platforms from the same place, around the same time of day. So, if a log shows unusual behavior, such as logging in from another country at an hour that’s outside the user’s norm, it’s a red flag that a compromise may have happened. I will present more details about what companies can do during my talk at the Wild West Hackin’ Fest conference.
Abby: Yes, please share more details about the conference!
Ruben: I will be presenting a talk at the Wild West Hackin’ Fest conference from May 4-6. It will go more in-depth about my research into Electron applications and provide details about how companies can prevent these kinds of attacks. Our X-Force Red Adversary Simulation team is presenting six talks at the conference. You can view the full agenda here.
Abby: Thank you, Ruben! To our readers, if you are interested in learning more about X-Force Red’s Adversary Simulation Services, visit our site here.
Abby Ross is Associate Partner for X-Force Red, IBM Security’s team of veteran hackers. Abby is a seasoned marketing and public relations professional, with …
4 min read - This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries. When talking about…
3 min read - Corporate clients and cloud service providers (CSPs) are both responsible for cloud security. Clients remain accountable for governance and compliance. However, their other duties will vary depending upon the type of cloud deployment. What can cloud-native security controls do for…
8 min read - This post was written with contributions from IBM Security X-Force’s Anne Jobmann, Claire Zaboeva and Richard Emerson. February 25, 2022 Update On February 24 2022, Symantec Enterprise reported a ransomware dubbed as PartyTicket was deployed alongside the HermeticWiper malware. IBM…
From 2020 to 2021, there was a 33% increase in the number of reported incidents caused by vulnerability exploitation, according to the 2022 X-Force Threat Intelligence Index. A large percentage of these exploited vulnerabilities were newly discovered; in fact, four out of the top five vulnerabilities in 2021 were newer vulnerabilities. Vulnerability exploitation was the […]
While you may have never heard of “Electron applications,” you most likely use them. Electron technology is in many of today’s most popular applications, from streaming music to messaging to video conferencing applications. Under the hood, Electron is essentially a Google Chrome window, which developers can modify to look however they prefer. Since Chrome is […]
In October 2021, Facebook (now Meta), and all its platforms (Instagram, WhatsApp and Messenger) shut down across the globe for up to six hours, leaving billions without a messaging service. While Facebook engineers scrambled to fix the problem, users pivoted to other apps to stay connected. In the wake of the outage, Telegram added 70 […]
In 2017, the number of connected devices surpassed the world’s human population. That’s a lot of things. However, many of them were not built with security in mind. It didn’t take long for attackers to take advantage of Internet of Things (IoT) vulnerabilities. One case in 2016 saw threat actors take down Dyn, a company […]
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.
