Preloading Insecurity In Your Electron presented at BlackHatAsia2019 2019

by Luca Carettoni,

Summary : Modern browsers are complicated systems. They enforce numerous security mechanisms to ensure isolation between sites, facilitate web security protections and preventing untrusted remote content to compromise the security of the host. When working with Electron (https://electronjs.org/), things get even more complicated. The good news is that building secure Electron-based desktop applications is possible. Despite popular belief, the average Electron-based app is more secure than the average web application. The framework itself is getting better, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning all common pitfalls.It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS into RCE. Even without a framework bug (e.g. nodeIntegration bypass), BrowserWindow preload introduces a new interesting attack surface to Electron-based applications. Abusing Electron's internal IPC, loggers and other application components we will show how we can turn a Cross-Site Scripting vulnerability into a reliable exploitation mechanism to fully compromise popular desktop applications.