Hacker News new | past | comments | ask | show | jobs | submit login

This article seems a bit clickbait-y considering this means that you'd have to download the application from an untrusted source for this "exploit" to be taken advantage of. The same could be said for most applications if people aren't checking that the hashes match.

I feel like this will get a ton of discussion here anyway due to the Electron hate train.

What if you installed it via a trusted source, and then someone swapped the ASAR files without your knowledge? A flash-drive programmed to operate as a keyboard could easily swap in a malicious file simply by plugging it into the victim's computer when they aren't paying attention.

can't you do far worse if you're actually plugging in and running code from a flash drive on someone's computer?

Perhaps, depending on what sort of Anti-virus/Monitoring software is installed. It would definitely leave a bigger trace to install, run, and persist a malevolent executable than it is to hijack an already trusted one. Like if you saw a random exe running in task manager you would be much more paranoid than if you just saw slack.

I guess a better example might be if you have 2 admins on one computer and one could edit the files in programs directory to spy on the other. This assumes that only trusted executables are run by the victim (ie word) and you don't have the ability to modify its source code to make it malicious.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact