ElectroVolt: Pwning Popular Desktop Apps While Uncovering New Attack Surface on Electron

The presentation discusses the importance of considering electron applications in threat modeling and minimizing attack surface. It also presents two case studies of remote code execution in commonly used applications.

• Electron applications should be considered in threat modeling and security issues should be treated with higher scrutiny
• Open URL redirection in Electron JS can be used to redirect to external websites and perform attacks
• All windows in Electron applications should have security settings applied
• Two case studies of remote code execution in commonly used applications, VS Code and Discord, are presented

The presentation describes how the detection team found a way to perform remote code execution in VS Code in restricted mode, which earned them a $6000 bounty. They also had a prompt and swift response from the Microsoft team. This illustrates the importance of thoroughly testing and securing Electron applications.

Electron based apps are becoming a norm these days as it allows encapsulating web applications into a desktop app which is rendered using chromium. However, if Electron apps load remote content of attackers choice either via feature or misconfiguration of Deep Link or Open redirect or XSS it would lead to Remote Code Execution.Previously, it was known that lack of certain feature flags and inefficiency to apply best practices would cause this behavior but we have identified novel attack vectors within the core electron framework which could be leveraged to gain remote code execution on Electron apps despite the feature flags being set correctly under certain circumstances.This presentation covers the vulnerabilities found in twenty commonly used Electron applications and gained Remote Code Execution within apps such as Discord, Teams (local file read), VSCode, Basecamp, Mattermost, Element, Notion, and others.