Organisasi kadang ngandelkeun Google OAuth pikeun nga-asténtikasi pangguna. Aranjeunna condong nganggap yén Google téh omnipotent tur wijaksana, ku kituna kaputusan na ngeunaan naha méré aksés pamaké dianggap dibaca.

Hanjakalna, iman buta sapertos bahaya: pilihan “Asup sareng Google” ngagaduhan kalemahan anu serius. Dina Désémber 2023, panalungtik Dylan Ayrey di Truffle Security mendakan kerentanan anu lumayan jahat dina Google OAuth anu ngamungkinkeun para karyawan nahan aksés kana sumber daya perusahaan saatos pisah ti perusahaanna. Aya ogé cara pikeun urang asing pikeun ngamangpaatkeun bug ieu sareng kéngingkeun aksés.

Naon anu lepat sareng asup Google OAuth

Kerentanan ieu lumangsung alatan sababaraha faktor. Kahiji: Google ngidinan pamaké pikeun nyieun hiji akun Google ngagunakeun sagala email – lain ngan Gmail. Pikeun asup ka Google Workspace perusahaan, alamat surelek sareng nami domain perusahaan biasana dianggo. Contona, hiji pagawe pausahaan hypothetical Conto Inc. tiasa gaduh alamat email éta alanna@example.com.

Anu

Google OAuth dipaké ku rupa-rupa platform gawé di loba organisasi. Contona, ieu tombol “Asup sareng Google” dina slack.slack.com

Kadua: Google (sareng sajumlah jasa online anu sanés) ngadukung naon anu disebut sub-addressing. Ieu ngidinan Anjeun nyieun alamat landian ku nambahkeun tanda tambah (+) kana alamat surélék nu aya, dituturkeun ku naon anjeun resep. Salah sahiji kagunaanna nyaéta pikeun ngatur aliran email.

Salaku conto, nalika ngadaptar akun sareng bank online, anjeun tiasa netepkeun alamatna alanna+bank@example.com; nalika ngadaptar sareng panyadia ladenan komunikasi – alanna+telco@example.com. Sacara resmi, ieu mangrupikeun alamat anu béda, tapi emailna bakal ka kotak surat anu sami – alanna@example.com. Sarta alatan eusi widang “Ka:” béda, pesen asup bisa diatur béda ngagunakeun aturan nu tangtu.

Asup ka Slack sareng Google

Conto asup kana Slack sareng Google nganggo alamat email landian kalayan tanda tambah

Katilu: dina seueur platform kerja sapertos Zoom sareng Slack, otorisasina ngalangkungan tombol “Asup sareng Google” nganggo domain alamat email anu ditunjuk nalika ngadaptar akun Google. Janten, dina conto urang, pikeun nyambung ka ruang kerja Conto Inc example.slack.comanjeun peryogi @example.com alamat.

Tungtungna, kaopat: kasebut nyaéta dimungkinkeun pikeun ngédit alamat surélék dina akun Google. Di dieu, sub-addressing bisa dipaké ku cara ngarobah, sebutkeun, alanna@example.com ka alanna+whatever@example.com. Rengse, akun Google anyar tiasa didaptarkeun sareng alamat éta alanna@example.com.

Ieu nyababkeun dua akun Google anu béda anu tiasa dianggo pikeun asup kana platform kerja Conto Inc. (sapertos Slack sareng Zoom) ngalangkungan Google OAuth. Masalahna nyaéta alamat kadua tetep teu katingali ku pangurus Google Workspace perusahaan, janten aranjeunna henteu tiasa ngahapus atanapi nganonaktipkeun akun ieu. Ku cara ieu, karyawan anu dipecat masih tiasa gaduh aksés kana sumber daya perusahaan.

Ngamangpaatkeun kerentanan Google OAuth sareng kéngingkeun éntri tanpa aksés awal

Sakumaha kamungkinan sadayana ieu dilaksanakeun dina prakték? Pinuh. Ayrey nguji kamungkinan ngeksploitasi kerentanan dina Google OAuth dina Slack and Zoom perusahaanna sorangan, sareng mendakan yén éta leres-leres tiasa nyiptakeun akun hantu sapertos kitu. Pamaké biasa anu sanés ahli ogé tiasa nyandak kauntungan tina éta: henteu peryogi pangaweruh atanapi kaahlian khusus.

Ngamangpaatkeun kerentanan dina Google OAuth

Conto ngamangpaatkeun kerentanan dina Google OAuth pikeun masihan aksés Slack kana akun anu kadaptar kana sub-alamat email. Sumber

Catet yén, salian Slack sareng Zoom, kerentanan ieu mangaruhan puluhan alat perusahaan anu kirang dikenal anu nganggo auténtikasi Google OAuth.

Dina sababaraha kasus, panyerang tiasa kéngingkeun aksés kana alat awan organisasi sanaos awalna henteu gaduh aksés kana email perusahaan tina perusahaan target. Sistem tiket Zendesk, contona, tiasa dianggo pikeun tujuan ieu.

Idena nyaéta yén jasa ieu ngamungkinkeun ngirim pamenta via email. Alamat surelek sareng domain perusahaan didamel kanggo pamundut, sareng panyipta pamundut (nyaéta, saha waé) tiasa ningali eusi sadaya korespondensi anu aya hubunganana sareng pamundut ieu. Tétéla yén pangguna tiasa ngadaptarkeun akun Google nganggo alamat ieu sareng, ngalangkungan pamundut, kéngingkeun email sareng tautan konfirmasi. Aranjeunna teras tiasa ngamangpaatkeun kerentanan dina Google OAuth pikeun asup kana Zoom sareng Slack perusahaan target tanpa gaduh aksés awal kana sumberna.

Kumaha ngajaga ngalawan kerentanan Google OAuth

Panaliti ngabéjaan Google ngeunaan kerentanan sababaraha bulan kapengker ngaliwatan program bounty bug; parusahaan dipikawanoh salaku masalah (sanajan prioritas lemah sareng severity) komo dileler ganjaran a (tina $ 1337). Ayrey ogé ngalaporkeun masalah éta ka sababaraha jasa online, kalebet Slack.

Nanging, teu aya anu buru-buru ngalereskeun kerentanan sapertos kitu, janten panyalindungan ngalawan aranjeunna sigana aya dina taktak karyawan perusahaan anu ngatur platform kerja. Untungna, dina kalolobaan kasus ieu henteu ngabalukarkeun masalah khusus: ngan mareuman pilihan “Asup sareng Google”.

Sareng, tangtosna, éta ide anu saé pikeun waspada kana kamungkinan penetrasi anu langkung jero kana infrastruktur inpormasi organisasi ngaliwatan platform sapertos Slack, anu hartosna ngawaskeun naon anu lumangsung dina infrastruktur éta. Upami departemén kaamanan inpormasi perusahaan anjeun henteu gaduh sumber daya atanapi kaahlian pikeun ngalakukeun ieu, laksanakeun jasa éksternal sapertos Deteksi sareng Tanggapan Diurus Kaspersky.


#Naha #ngagunakeun #Google #OAuth #dina #aplikasi #padamelan #henteu #aman

Early this year I gave you five reasons to avoid desktop versions of messengers. The fact that many such applications use the Electron framework is one of them. This means that such a messenger works as an additional browser in your system, and its updates are quite difficult to control.

But, as I wrote in that post, it has become clear the problem is much more widespread — affecting not only messengers but hundreds of other apps as well. Chances are, because of Electron-based apps, you have a many more browsers than you think in your system this very minute…

What is Electron, and why do application developers want to use it?

Electron is a cross-platform desktop application development framework that employs web technologies — mostly HTML, CSS, and JavaScript. It was originally created by GitHub for its source code editor Atom (hence its original name — Atom Shell). Later on the framework was renamed Electron, ultimately evolving into an extremely popular tool used to create desktop applications for various operating systems, including Windows, macOS, and Linux.

Electron framework official site

Main page of the Electron framework official site. Source

Electron itself is based on the Chromium browser engine, which is responsible for displaying web content within a desktop application. So any Electron application is effectively a single website opened in the Chromium browser.

Users usually have no idea at all how the thing works. From their point of view, an Electron application is just another program you install, run in the usual way, give access to some files, occasionally update to the newest version, and so on.

Why has Electron grown so popular with developers? The idea is mainly this: no matter what digital service one might want to create, a web version is still needed. And the Electron framework allows you to develop just the web version and, based on it, produce full-fledged apps for all the desktop operating systems out there.

Electron’s other convenience features include making installation packages, their diagnostics, publication to app stores, and automatic updates.

Mullvad VPN uses the Electron framework, too

Et tu autem, Brute! You can find Electron in apps you least expect to

Summing up, the Electron framework is popular among developers — most particularly as it allows to greatly accelerate and simplify the application development process for all desktop operating systems in one go.

Issues with Electron-based applications

Electron-based applications have a number of drawbacks. The most obvious from the users’ perspective is their sluggishness. Electron-based software is usually resource-intensive and suffers from excessive file size. No wonder: each such app carries its whole home on its back like a snail a full-blown Chromium browser. In effect, it operates through that browser — serving as a sort of intermedium.

Next issue: web browsers are a favorite target of cybercriminals. It’s worth repeating: inside every Electron-based app there’s a separate instance of the Chromium web browser. This means your system may have a dozen additional browsers installed, all of which present a tempting target for criminals.

New, serious vulnerabilities pop up almost weekly in a popular browser like Chrome/Chromium: so far this year more than 70 high, and three critical severity-level vulnerabilities have been found in Chromium as of the time of writing. Worse yet, exploits for the world’s most popular browser’s vulnerabilities appear really quick. This means that a good part of Chrome/Chromium holes are not just abstract bugs you treat as a matter of routine — they’re vulnerabilities that can be used for attacks by cybercriminals out in the wild.

List of Chrome/Chromium vulnerabilities found in the first eight months of 2023

Even in fine print, Chromium vulnerabilities found so far in 2023 take up several screens. Source

For the standalone Chrome browser, this isn’t such a serious problem. Google is very quick to release patches and rather persistent in convincing users to install them and restart their browser (it even thoughtfully re-opens all their precious tabs after restarting so they don’t need to fear updating).

Things are very different for the Electron-based apps. A Chromium browser built into such an app will only get patched if the app’s vendor has released a new version and successfully communicated to users the need to install it.

So it appears that, with a bunch of installed Electron apps, not only do you have multiple browsers installed on your system, but also little to no control over how updated and secure those browsers are, or how many unpatched vulnerabilities they contain.

The framework’s creators know full well about the problem, and strongly recommend that app developers release patches on time. Alas, users can only hope that those recommendations are followed.

And here’s a fresh example: On September 11, Google fixed the CVE-2023-4863 vulnerability in Google Chrome. At that point, it was already actively exploited in the wild. It allows a remote attacker to perform an out of bounds memory write via a crafted HTML page, which can lead to the execution of arbitrary code. Of course, this bug is present in Chromium and all Electron-based applications. So, all companies using it in their applications will have to work on updates.

Which desktop applications are based on Electron?

Not many folks seem to know how incredibly common Electron-based desktop applications are. I’ll bet you are using more than one of them. Check them out yourself:

  • 1Password
  • Agora Flat
  • Asana
  • Discord
  • Figma
  • GitHub Desktop
  • Hyper
  • Loom
  • Microsoft Teams
  • Notion
  • Obsidian
  • Polyplane
  • Postman
  • Signal
  • Skype
  • Slack
  • Splice
  • Tidal
  • Trello
  • Twitch
  • Visual Studio Code
  • WhatsApp
  • WordPress Desktop

I personally use around a third of the apps from the list (but, for the record, none of them as desktop applications).

That list is not exhaustive at all though, representing only the most popular Electron-based applications. In total there are several hundred such applications. A more or less complete list of them can be found on a special page on the official website of the framework (but, it seems, not all of them are listed even there).

List of Electron-based applications

The list of Electron-based desktop applications comprises several hundred online services, including about 20 really popular ones. Source

Security considerations

So how to avoid the threats posed by uncontrolled browsers that thoughtful developers are now unpredictably embedding into desktop apps? I have three main tips regarding this:

  • Minimize the number of Electron-based apps as much as possible. It’s not as difficult as it seems: the very fact of using the framework normally suggests that the service has an extremely advanced web version, which is most likely on a par with the desktop application in terms of features and convenience.
  • Try to inventory all Electron-based apps used by your company’s employees, and prioritize their updates. More often than not, these are collaboration applications of different forms and shades — from Microsoft Teams, Slack, and Asana, to GitHub and Figma.
  • Use a reliable security solution. It will help you repel attacks in those periods when vulnerabilities are already known and being exploited but the patches haven’t yet been issued. By the way, Kaspersky products have an exploit protection system: it helps our experts detect the exploitation of new, as yet unknown vulnerabilities, and warns the developers of the corresponding programs about these holes.


#Electronbased #desktop #applications #secure