Electron powers many of today’s most popular desktop applications. However, hidden within these applications, there could be serious and overlooked misconfigurations. We’ll delve into how minor errors, such as enabling nodeIntegration, using insecure ASAR packaging, and so on, can escalate into system compromise.

This talk will provide practical examples by leveraging vulnerable applications. We’ll demonstrate how Cross-Site Scripting (XSS) can lead to Remote Code Execution (RCE) and how the lack of ASAR integrity can enable attackers to establish persistence on a victim’s computer.

The purpose of this talk is to introduce the topic of Electron-based security issues to a broad and diverse audience, shedding light on the security of modern desktop applications.