While you may have never heard of “Electron applications,” you most likely use them. Electron technology is in many of today’s most popular applications, from streaming music to messaging to video conferencing applications. Under the hood, Electron is essentially a Google Chrome window, which developers can modify to look however they prefer. Since Chrome is available on mostly all platforms — Windows, Linux, and Mac OS — once developers create applications, they will work just about everywhere.

Because of their widespread use in the consumer and business worlds, Electron applications can be a top target of attackers. And they may not require a vulnerability to exploit. As we have seen in the headlines, compromising Electron applications may simply require an inexpensive cookie purchase coupled with a phishing message to an unsuspecting employee.

The impact of an Electron application compromise can be devastating, which is why X-Force Red hacker Ruben Boonen (@FuzzySec) researched them a bit more.

A Q&A with X-Force Red Hacker Ruben Boonen

Abby: Thank you for speaking with me today, Ruben. You mentioned you had wanted to research Electron applications because of their widespread use. What also made you want to dig into them further, especially considering you perform red team engagements for companies worldwide?

Ruben: I find Electron applications interesting, Abby, because of their widespread use, but also because of their less stringent login requirements. After the first-time logging into one these applications, it may not ask you to enter in your login credentials for another month (or longer). The application automatically logs you in, which means your computer can access any information, conversation, etc. that is on the platform. The application knows how to authenticate already without the user’s intervention. I wanted to see how that worked, mainly because I could use the findings for our adversary simulation engagements.

Abby: Where did you start your research process?

Ruben: Since the Electron platform is built on Google Chrome, public research exists already about how sessions are managed in the browser. Electron technology doesn’t operate exactly like the Chrome web browser. It operates differently. I dug into the known research about how it works, and that gave me the knowledge to figure out how Electron applications were automatically logging in users without requiring credentials. Using that knowledge, I built a tool aimed to attack a common messaging platform. We are incorporating the tool into our adversary simulation engagements to help companies find and fix gaps in their incident response processes.

Abby: From an attacker’s point of view, you wouldn’t need a vulnerability to exploit to compromise an Electron application, right?

Ruben: That’s correct. These are not vulnerabilities in the applications. It’s just the way Chrome session storage work. If I were an attacker and had access to your computer, I could pretend to be you on the application. I could extract your authentication information and pretend to be you, sitting at your desk. I could write to one of your peers, “Hey, I have a problem. Can you help me reset my password?” On red team engagements, we don’t have visual access to machines; we only have command line interface access. So, we phish people to gain access to their machines, and then use our custom-built tools to perform attacks against their applications, including Electron applications.

Abby: I understand you only use these techniques to help companies fortify their defenses, but if you were an attacker, what could you do after leveraging an Electron application’s automated login capabilities?

Ruben: If attackers can impersonate you, then they can access any data that is in the application. They can, for example, read your messages, send messages, download files that were shared on the platform, and conduct more attacks that would enable them to pivot onto the company’s network.

Abby: So, what can companies do to prevent these kinds of attacks? Since it’s not a vulnerability problem, I assume it’s more of a settings fix?

Ruben: This isn’t a problem with the Electron platform. It works as intended. I recommend companies limit the time applications don’t ask for users’ passwords. Some of these platforms ask you to enter in your credentials every few days. The more you can require users to enter their login information, without it burdening their every-day workload, the better. Companies should also collect logs. Most people log into these platforms from the same place, around the same time of day. So, if a log shows unusual behavior, such as logging in from another country at an hour that’s outside the user’s norm, it’s a red flag that a compromise may have happened. I will present more details about what companies can do during my talk at the Wild West Hackin’ Fest conference.

Abby: Yes, please share more details about the conference!

Ruben: I will be presenting a talk at the Wild West Hackin’ Fest conference from May 4-6. It will go more in-depth about my research into Electron applications and provide details about how companies can prevent these kinds of attacks. Our X-Force Red Adversary Simulation team is presenting six talks at the conference. You can view the full agenda here.

Abby: Thank you, Ruben! To our readers, if you are interested in learning more about X-Force Red’s Adversary Simulation Services, visit our site here.

More from Application Security

Securing Your SAP Environments: Going Beyond Access Control

Many large businesses run SAP to manage their business operations and their customer relations. Security has become an increasingly critical priority due to the ongoing digitalization of society and the new opportunities that attackers exploit to achieve a system breach. Recent attacks related to corrupt data, stealing personal information and escalating privileges for remote code execution all highlight the new and varied entry points threat actors have taken advantage of. Attackers with the appropriate skills could be able to exploit…

Does Follina Mean It’s Time to Abandon Microsoft Office?

As a freelance writer, I spend most of my day working in Microsoft Word. Then, I send drafts to clients and companies across the globe. So, news of the newly discovered Microsoft Office vulnerability made me concerned about the possibility of accidentally spreading malware to my clients. I take extra precautions to ensure that I’m not introducing risk to my clients. Still, using Microsoft Office was something I did many times a day without a second thought. I brought up…

3 Reasons Why Technology Integration Matters

As John Donne once wrote, “No man is an island entire of itself.” With digitalization bridging any distance, the same logic could be applied to tech. Threat actors have vast underground forums for sharing their intelligence, while security professionals remain tight-lipped in a lot of data breach cases. Much like the way a vaccine can help stop the spread of infectious diseases, sharing threat intelligence and defense strategies can help to establish a more secure future for everyone.  So what…

Why Your Success Depends on Your IAM Capability

It’s truly universal: if you require your workforce, customers, patients, citizens, constituents, students, teachers… anyone, to register before digitally accessing information or buying goods or services, you are enabling that interaction with identity and access management (IAM). Many IAM vendors talk about how IAM solutions can be an enabler for productivity, about the return on investment (ROI) that can be achieved after successfully rolling out an identity strategy. They all talk about reduction in friction, improving users' perception of the…