Skype, Slack and other applications on Electron can easily implement a backdoor

The Electron framework is popular with developers due to its cross-platform capabilities. It is based on JavaScript and Node.js and is used to create web-based desktop applications. However, according to researcher Pavel Tsakalidis, applications based on Electron may be vulnerable.   At the BSides LV conference on Tuesday, Pavel Tsakalidis demonstrated the BEEMKA tool he created. The tool allows you to unpack Electron ASAR archive files and inject new code into the Electron JavaScript libraries and Chrome browser built-in extensions. Vulnerability does not lie in the applications themselves, but in the basic structure of Electron, and allows you to hide malicious actions in processes that seem to be safe.   To make changes, the attacker will have to gain administrator access on Linux and MacOS (local access is sufficient on Windows). After implementing the new code, you can access the file system, activate the webcam and extract information from the system, including user credentials and other confidential information. The problem is that the Electron ASAR files themselves are not encrypted or signed, which allows them to be changed without changing the signature of the corresponding applications.   At the conference, Tsakalidis demonstrated a version of Microsoft Visual Studio Code with a backdoor that sent input to a remote website. According to him, remote attacks so far do not pose a threat, since local access is required to make changes to Electron applications. However, attackers can disguise applications and distribute them.   Tsakalidis also said that he informed Electron developers about the vulnerability he found. His appeal has not yet been answered, and the problem is still open.