For a while you could get persistent native code execution (effectively root) in Slack, Discord and Microsoft Teams by dropping a text file in a specific spot in AppData/homedir/etc. Didn't even need to be chmodded or anything, just drop the file there and the electron apps would run it at startup with full permissions. Really dramatically lowered the difficulty of running code on an end-user's machine, especially since that directory is writable by virtually anything, including an electron app you've XSS'd.
I think all 3 have been patched to prevent that particular attack, but it's astonishing to me that electron apps don't seem to use any form of code signing.
my HackerOne reports were all Out Of Scope, naturally, until parts of the attack got assigned CVEs later and someone else got the bug bounty :) At least it's fixed!
I think all 3 have been patched to prevent that particular attack, but it's astonishing to me that electron apps don't seem to use any form of code signing.
my HackerOne reports were all Out Of Scope, naturally, until parts of the attack got assigned CVEs later and someone else got the bug bounty :) At least it's fixed!