While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response - and the vulnerability remains. The vulnerability is not part of the applications themselves but of the underlying Electron framework - and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. An anonymous reader quotes a report from Ars Technica: The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities.
