While you may have never heard of “Electron applications,” you most likely use them. Electron technology is in many of today’s most popular applications, from streaming music to messaging to video conferencing applications. Under the hood, Electron is essentially a Google Chrome window, which developers can modify to look however they prefer. Since Chrome is available on mostly all platforms — Windows, Linux, and Mac OS — once developers create applications, they will work just about everywhere.

Because of their widespread use in the consumer and business worlds, Electron applications can be a top target of attackers. And they may not require a vulnerability to exploit. As we have seen in the headlines, compromising Electron applications may simply require an inexpensive cookie purchase coupled with a phishing message to an unsuspecting employee.

The impact of an Electron application compromise can be devastating, which is why X-Force Red hacker Ruben Boonen (@FuzzySec) researched them a bit more.

A Q&A with X-Force Red Hacker Ruben Boonen

Abby: Thank you for speaking with me today, Ruben. You mentioned you had wanted to research Electron applications because of their widespread use. What also made you want to dig into them further, especially considering you perform red team engagements for companies worldwide?

Ruben: I find Electron applications interesting, Abby, because of their widespread use, but also because of their less stringent login requirements. After the first-time logging into one these applications, it may not ask you to enter in your login credentials for another month (or longer). The application automatically logs you in, which means your computer can access any information, conversation, etc. that is on the platform. The application knows how to authenticate already without the user’s intervention. I wanted to see how that worked, mainly because I could use the findings for our adversary simulation engagements.

Abby: Where did you start your research process?

Ruben: Since the Electron platform is built on Google Chrome, public research exists already about how sessions are managed in the browser. Electron technology doesn’t operate exactly like the Chrome web browser. It operates differently. I dug into the known research about how it works, and that gave me the knowledge to figure out how Electron applications were automatically logging in users without requiring credentials. Using that knowledge, I built a tool aimed to attack a common messaging platform. We are incorporating the tool into our adversary simulation engagements to help companies find and fix gaps in their incident response processes.

Abby: From an attacker’s point of view, you wouldn’t need a vulnerability to exploit to compromise an Electron application, right?

Ruben: That’s correct. These are not vulnerabilities in the applications. It’s just the way Chrome session storage work. If I were an attacker and had access to your computer, I could pretend to be you on the application. I could extract your authentication information and pretend to be you, sitting at your desk. I could write to one of your peers, “Hey, I have a problem. Can you help me reset my password?” On red team engagements, we don’t have visual access to machines; we only have command line interface access. So, we phish people to gain access to their machines, and then use our custom-built tools to perform attacks against their applications, including Electron applications.

Abby: I understand you only use these techniques to help companies fortify their defenses, but if you were an attacker, what could you do after leveraging an Electron application’s automated login capabilities?

Ruben: If attackers can impersonate you, then they can access any data that is in the application. They can, for example, read your messages, send messages, download files that were shared on the platform, and conduct more attacks that would enable them to pivot onto the company’s network.

Abby: So, what can companies do to prevent these kinds of attacks? Since it’s not a vulnerability problem, I assume it’s more of a settings fix?

Ruben: This isn’t a problem with the Electron platform. It works as intended. I recommend companies limit the time applications don’t ask for users’ passwords. Some of these platforms ask you to enter in your credentials every few days. The more you can require users to enter their login information, without it burdening their every-day workload, the better. Companies should also collect logs. Most people log into these platforms from the same place, around the same time of day. So, if a log shows unusual behavior, such as logging in from another country at an hour that’s outside the user’s norm, it’s a red flag that a compromise may have happened. I will present more details about what companies can do during my talk at the Wild West Hackin’ Fest conference.

Abby: Yes, please share more details about the conference!

Ruben: I will be presenting a talk at the Wild West Hackin’ Fest conference from May 4-6. It will go more in-depth about my research into Electron applications and provide details about how companies can prevent these kinds of attacks. Our X-Force Red Adversary Simulation team is presenting six talks at the conference. You can view the full agenda here.

Abby: Thank you, Ruben! To our readers, if you are interested in learning more about X-Force Red’s Adversary Simulation Services, visit our site here.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…