Preloading Insecurity In Your Electron

Presented at Black Hat Asia 2019, March 28, 2019, 2:15 p.m. (60 minutes).

Modern browsers are complicated systems. They enforce numerous security mechanisms to ensure isolation between sites, facilitate web security protections and preventing untrusted remote content to compromise the security of the host. When working with Electron (https://electronjs.org/), things get even more complicated.

The good news is that building secure Electron-based desktop applications is possible. Despite popular belief, the average Electron-based app is more secure than the average web application. The framework itself is getting better, secure-by-default settings are slowly becoming the norm and the dev community is gradually learning all common pitfalls.

It's time to shift gears. In this presentation, we will discuss a relatively unexplored class of vulnerabilities that can turn a boring XSS into RCE. Even without a framework bug (e.g. nodeIntegration bypass), BrowserWindow preload introduces a new interesting attack surface to Electron-based applications.

Abusing Electron's internal IPC, loggers and other application components we will show how we can turn a Cross-Site Scripting vulnerability into a reliable exploitation mechanism to fully compromise popular desktop applications.


Presenters:

  • Luca Carettoni - Co-founder, Doyensec LLC
    Luca Carettoni is a respected web security expert, with over 15 years of experience in the application security field. Throughout his career, he worked on security problems across multiple industries and companies of different size. He is the co-founder of Doyensec, an application security consultancy working at the intersection of offensive engineering and software development. At LinkedIn, he led a team responsible for identifying new security vulnerabilities in applications, infrastructure and open source components. Prior to that, Luca worked as the Director of Information Security at Addepar, a startup that is reinventing global wealth management. Proud to be a Matasano Security alumni, he helped bootstrapping the Silicon Valley office by delivering high-quality security assessments to software vendors and startups. As a security researcher, he discovered numerous vulnerabilities in software products of multiple vendors including 3com, Apple, Barracuda, Cisco, Citrix, HP, IBM, Oracle, Sun, Siemens, VMware, Zend and many others. Since the beginning of his career, he has been an active participant in the security community and a member of the Open Web Application Security Project (OWASP). Luca holds a Master's Degree in Computer Engineering from the Politecnico di Milano University.

Links:

Similar Presentations: