While you may have never heard of “Electron applications,” you most likely use them. Electron technology is in many of today’s most popular applications, from streaming music to messaging to video conferencing applications. Under the hood, Electron is essentially a Google Chrome window, which developers can modify to look however they prefer. Since Chrome is available on mostly all platforms — Windows, Linux, and Mac OS — once developers create applications, they will work just about everywhere.

Because of their widespread use in the consumer and business worlds, Electron applications can be a top target of attackers. And they may not require a vulnerability to exploit. As we have seen in the headlines, compromising Electron applications may simply require an inexpensive cookie purchase coupled with a phishing message to an unsuspecting employee.

The impact of an Electron application compromise can be devastating, which is why X-Force Red hacker Ruben Boonen (@FuzzySec) researched them a bit more.

A Q&A with X-Force Red hacker Ruben Boonen

Abby: Thank you for speaking with me today, Ruben. You mentioned you had wanted to research Electron applications because of their widespread use. What also made you want to dig into them further, especially considering you perform red team engagements for companies worldwide?

Ruben: I find Electron applications interesting, Abby, because of their widespread use, but also because of their less stringent login requirements. After the first-time logging into one these applications, it may not ask you to enter in your login credentials for another month (or longer). The application automatically logs you in, which means your computer can access any information, conversation, etc. that is on the platform. The application knows how to authenticate already without the user’s intervention. I wanted to see how that worked, mainly because I could use the findings for our adversary simulation engagements.

Abby: Where did you start your research process?

Ruben: Since the Electron platform is built on Google Chrome, public research exists already about how sessions are managed in the browser. Electron technology doesn’t operate exactly like the Chrome web browser. It operates differently. I dug into the known research about how it works, and that gave me the knowledge to figure out how Electron applications were automatically logging in users without requiring credentials. Using that knowledge, I built a tool aimed to attack a common messaging platform. We are incorporating the tool into our adversary simulation engagements to help companies find and fix gaps in their incident response processes.

Abby: From an attacker’s point of view, you wouldn’t need a vulnerability to exploit to compromise an Electron application, right?

Ruben: That’s correct. These are not vulnerabilities in the applications. It’s just the way Chrome session storage work. If I were an attacker and had access to your computer, I could pretend to be you on the application. I could extract your authentication information and pretend to be you, sitting at your desk. I could write to one of your peers, “Hey, I have a problem. Can you help me reset my password?” On red team engagements, we don’t have visual access to machines; we only have command line interface access. So, we phish people to gain access to their machines, and then use our custom-built tools to perform attacks against their applications, including Electron applications.

Abby: I understand you only use these techniques to help companies fortify their defenses, but if you were an attacker, what could you do after leveraging an Electron application’s automated login capabilities?

Ruben: If attackers can impersonate you, then they can access any data that is in the application. They can, for example, read your messages, send messages, download files that were shared on the platform, and conduct more attacks that would enable them to pivot onto the company’s network.

Abby: So, what can companies do to prevent these kinds of attacks? Since it’s not a vulnerability problem, I assume it’s more of a settings fix?

Ruben: This isn’t a problem with the Electron platform. It works as intended. I recommend companies limit the time applications don’t ask for users’ passwords. Some of these platforms ask you to enter in your credentials every few days. The more you can require users to enter their login information, without it burdening their every-day workload, the better. Companies should also collect logs. Most people log into these platforms from the same place, around the same time of day. So, if a log shows unusual behavior, such as logging in from another country at an hour that’s outside the user’s norm, it’s a red flag that a compromise may have happened. I will present more details about what companies can do during my talk at the Wild West Hackin’ Fest conference.

Abby: Yes, please share more details about the conference!

Ruben: I will be presenting a talk at the Wild West Hackin’ Fest conference from May 4-6. It will go more in-depth about my research into Electron applications and provide details about how companies can prevent these kinds of attacks. Our X-Force Red Adversary Simulation team is presenting six talks at the conference. You can view the full agenda here.

Abby: Thank you, Ruben! To our readers, if you are interested in learning more about X-Force Red’s Adversary Simulation Services, visit our site here.

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today