Tweet
Aaditya Purani & Max Garrett - ElectroVolt: Pwning popular desktop apps while uncovering new attack surface on Electron
Aaditya Purani, Senior Security Engineer
Max Garrett , Application Security Auditor, Cure53
Presentation Title:ElectroVolt: Pwning popular desktop apps while uncovering new attack surface on Electron
Length of Presentation:
45 minutes
Demo
Electron based apps are becoming a norm these days as it allows encapsulating web applications into a desktop app which is rendered using chromium. However, if Electron apps load remote content of attackers choice either via feature or misconfiguration of Deep Link or Open redirect or XSS it would lead to Remote Code Execution on the OS.
Previously, it was known that lack of certain feature flags and inefficiency to apply best practices would cause this behavior but we have identified sophisticated novel attack vectors within the core electron framework which could be leveraged to gain remote code execution on Electron apps despite all feature flags being set correctly under certain circumstances.
This presentation covers the vulnerabilities found in twenty commonly used Electron applications and demonstrates Remote Code Execution within apps such as Discord, Teams(local file read), VSCode, Basecamp, Mattermost, Element, Notion, and others.
The speaker's would like to thank Mohan Sri Rama Krishna Pedhapati, Application Security Auditor, Cure53 and William Bowling, Senior Software Developer, Biteable for their contributions to this presentation.
SPEAKER BIOS:
Aaditya Purani is a senior security engineer at a leading automotive company. Aaditya's primary areas of expertise are web/mobile application penetration testing, product security reviews, blockchain security, and source code review.
He contributes to responsible disclosure programs and is included in the hall of fame for Apple, Google and AT&T. He also participates in capture the flag (CTF) from perfect blue which is a globally ranked top-1 CTF team since 2020.
As a researcher, his notable public findings include BTCPay Pre-Auth RCE, Brave Browser Address Bar Vulnerability, and Akamai Zero Trust RCE. As a writer, Aaditya has authored articles for InfoSec Institute, Buzzfeed, and Hakin9. In the past, Aaditya has interned for Bishop Fox and Palo Alto Networks.
https://twitter.com/aaditya_purani
Maxwell Garrett is a 17-year-old Application Security Auditor formerly at Cure53. He also enjoys his spare time playing CTF's, doing security research, and playing basketball.
Max has found vulnerabilities in Google Chrome, DOMPurify, Outlook Web App and more.
https://twitter.com/thegrandpew
REFERENCES:
https://speakerdeck.com/masatokinuga...ion-curecon-en
[]
Aaditya Purani, Senior Security Engineer
Max Garrett , Application Security Auditor, Cure53
Presentation Title:ElectroVolt: Pwning popular desktop apps while uncovering new attack surface on Electron
Length of Presentation:
45 minutes
Demo
Electron based apps are becoming a norm these days as it allows encapsulating web applications into a desktop app which is rendered using chromium. However, if Electron apps load remote content of attackers choice either via feature or misconfiguration of Deep Link or Open redirect or XSS it would lead to Remote Code Execution on the OS.
Previously, it was known that lack of certain feature flags and inefficiency to apply best practices would cause this behavior but we have identified sophisticated novel attack vectors within the core electron framework which could be leveraged to gain remote code execution on Electron apps despite all feature flags being set correctly under certain circumstances.
This presentation covers the vulnerabilities found in twenty commonly used Electron applications and demonstrates Remote Code Execution within apps such as Discord, Teams(local file read), VSCode, Basecamp, Mattermost, Element, Notion, and others.
The speaker's would like to thank Mohan Sri Rama Krishna Pedhapati, Application Security Auditor, Cure53 and William Bowling, Senior Software Developer, Biteable for their contributions to this presentation.
SPEAKER BIOS:
Aaditya Purani is a senior security engineer at a leading automotive company. Aaditya's primary areas of expertise are web/mobile application penetration testing, product security reviews, blockchain security, and source code review.
He contributes to responsible disclosure programs and is included in the hall of fame for Apple, Google and AT&T. He also participates in capture the flag (CTF) from perfect blue which is a globally ranked top-1 CTF team since 2020.
As a researcher, his notable public findings include BTCPay Pre-Auth RCE, Brave Browser Address Bar Vulnerability, and Akamai Zero Trust RCE. As a writer, Aaditya has authored articles for InfoSec Institute, Buzzfeed, and Hakin9. In the past, Aaditya has interned for Bishop Fox and Palo Alto Networks.
https://twitter.com/aaditya_purani
Maxwell Garrett is a 17-year-old Application Security Auditor formerly at Cure53. He also enjoys his spare time playing CTF's, doing security research, and playing basketball.
Max has found vulnerabilities in Google Chrome, DOMPurify, Outlook Web App and more.
https://twitter.com/thegrandpew
REFERENCES:
https://speakerdeck.com/masatokinuga...ion-curecon-en
[]