top | item 24317512

(no title)

oskarsv | 5 years ago

The app has been updated multiple times since, but you can debug Slack and other Electron apps to see the context they are running with. Electron apps merge desktop functionality with web and sometimes it's possible to find abusable functions - e.g. filesystem, leaking dangerous Electron objects etc.

In this case it was possible to abuse lack of context isolation to overwrite functionality (first part of the JS exploit). This changed function behaviour to return (leak) a BrowserWindow class (https://www.electronjs.org/docs/api/browser-window) when calling window.open(). A BrowserWindow class allows to instantiate a new window with your own security settings :)

Some of the current non-standard functions in Slack: https://imgur.com/a/OSjS0kJ

More info: https://www.electronjs.org/docs/tutorial/security

discuss

No comments yet.