This video is kinda old, a lot have changed since then. Many things don't apply to today's reality so I'll be doing an updated video in the near future, stay tuned. Starting from Electron 5.0+, `nodeIntegration` is disabled by default. github.com/electron/electron/blob/master/docs/api/breaking-changes.md#new-browserwindow-webpreferences-
This is epic After watching your newer videos I decided to watch some of these and I was not disappointed. Amazing that you were still this good at making videos 3 years ago Correction: 2 yrs I can’t count
Great video! A quick note in case it helps, there is a bumping sound on the left channel of the audio on your videos and is more noticeable wearing headphones. Depending on the source of the sound, a pop filter or shock absorbing mount for your mic would make your video as pleasing to listen to as it is to watch. 😊
Hi nice video, but I am still a bit confused. what if you have a desktop application only? Is it still advised turning it off? because if you turn it on you can use the desktop API stuff. Also if you don't keep user personal stuff in the localstorage you should be fine right? also if your app is not a server then you are also set to go right?
In short, enforce that you can't get simple XSS with content security policy and you can be pretty safe with node integration, but secure electron apps are still tricky, prefer defense in depth and try to stick to defaults. The current recommendation is use the IPC modules to get the main process to do everything interesting, but they are a bit fiddly, and you're still on the hook for the exposed IPC protocol to not allow bad stuff, eg no read-file request!
I guess I'm a little confused as to how we're able to validate anything you're saying if you won't even tell us the name of the platform involved. I could make a few videos where I find security holes in a fabricated web app too.
Name a best alternative secure like javafx which I am aware. Which I also aware decompiled easy or use Obfuscate. I need a secure non reverse engineerable application. Can anybody give good advice
Nice video. Can you share the final message that you sent it in the last? I did not understand how to bind client/access tokens, UID, GUID and RCE payload together?
So, people had the *BRILLIANT* idea to shove a dedicated browser (Chromium, no less) running a web-app with system-level hooks and extensibility, alongside the forceful system integration known as NodeJS (doing things we shouldn't be doing since the turn of the century, woo) into the general userspace and call it a proper program, all while patching none of the existing vulnerabilities out nor addressing the issue of *running a dedicated Chrome install with system hooks and permissions layered with NodeJS* and calling it """efficient""", god forbid performant. Fast-forward two to three years, and I want to put my head through a brick wall. Not only are pseudo-apps (my own little term for them, since they forcibly try to be something they're not) disturbingly commonplace, but people think that they're a valid gateway for the cross-compatibility angle that people seem to be focused on at the moment. Putting aside the fact that the world's web infrastructure is sadly immature and even prehistoric in certain areas, disregarding the fact that you're combining some of the most broken, forcibly-mutated, and ultimately vulnerable software into something that it isn't, and deploying it into an ecosystem where it doesn't belong, it's just utterly lazy and convoluted. Rather than focusing all of that energy and experimentation on developing legitimate cross-platform libraries and systems, people prefer to make a bloated web-app and have it run using a web browser specifically installed for that one program, then lazily craft C# hooks for pulling system resources and actions into the mix. Sorry for the rant, but goddamn, I'm tired of this craze. It's wrong, it's lazy and yet convoluted, and it's the incorrect approach. Evolution of systems begins by expansion and extrapolation, not by brute-forcing what's comfortable to many people (JS) into areas that shouldn't be involved (desktop development, systems-level I/O, etc.).
Electron is way safer now then it used to be, and the so called "pseudo-apps" are very popular, Slack, VSCode, Postman, Skype and Discord, are built using electron, it's easy to make an unsafe app, but that's the thing, a good developer knows about the bad and builts accordingly. Your whole rant is weak and you should research a little about where JS is involved because believe it or not, JS is used for the frontend of the Dragon Crew Interface and it's used widely in embedded. Are there safer choices? Definitely. Are there faster choices? Of course there are. The reason why javascript is used everywhere is because it's fast, secure enough that only a beginner would expose it's app to high vulnerabilities and it's good a big community, the biggest I would say. So inform yourself sir.
But how are soydevs going to impress their mommies if they need to learn everything from the ground up to make their little apps? They need frameworks to build bloated websites which take an eternity to load and they need to build slow apps with lots of cute buttons. Are you suggesting people actually LEARN the os apis and use some C to make things secure and fast? Luddite!
@@user-he4ef9br7z I'm saying that you could very well re-invent the wheel, but you most probably are not going to and if you are then yes you're going do it your way but by the time your wheel is rolling, everyone else is way ahead of you.
@@rodpadev Doing it your way used to be what programming was about. If you don't need to learn much to build stuff and just use a framework built by a mega large corporation, in turn making things slow, memory intensive and less secure, it might be time to question whether you're more of a consumer than a creator. Sure, some cooking website startup can afford to download a bloated framework, but in places where what you write actually matters, like embedded, robotics, space exploration, military, cryptography, let's just say you ain't gonna be using typescript. It's not about reinventing the wheel, it's about making the product vs using a product.
You are a great tutor I wonder how do you know so much I have just started in hacking and I feel so over this if I don't find a vulnerability, so can you tell me how you started
found it a littlebit dishonest to say that it works "just by visiting a message in the browser" when it actually is the application running in the background that is the issue.
If you're going to say something is "misinformation", you have to explain WHY its misinformation. Otherwise we will assume that, at best, you don't know what you're talking about. Or, at worst, you are intentionally deceitful.
This video is kinda old, a lot have changed since then. Many things don't apply to today's reality so I'll be doing an updated video in the near future, stay tuned.
Starting from Electron 5.0+, `nodeIntegration` is disabled by default.
github.com/electron/electron/blob/master/docs/api/breaking-changes.md#new-browserwindow-webpreferences-
I started watching your channel and i wanted to ask you what color pallet you were using.
Hi there! That link doesn't work, look into this link for more information www.electronjs.org/blog/electron-5-0#security-improvements
Would be good if there is also a restrictive CSP active
And I manually enable nodeIntergration in all my Electron apps lol
still waiting
Nice!!! First video I see from you. And your drawing style is already better than mine :P
Good job :)
Hey fabian can you please continue your web hacking series plss
His videos really look like yours, that's one of the things that caught my attention haha
Thank you!
Does he use the same drawing pad as you?
I feel like that makes your videos good
YEEEAAAAHHHH!!!
I love your channel's Easter eggs in his videos haha
concatenate your knowledge with @PwnFunction
Whoa this is quality content! Thank you so much!!!
This is epic
After watching your newer videos I decided to watch some of these and I was not disappointed.
Amazing that you were still this good at making videos 3 years ago
Correction: 2 yrs I can’t count
Coming from liveoverflow's video, that drawing is awesome
dude... you blow my mind. this is awesome....
Protip: most Electron applications comes with default devtools shortcut
I love this channel. The brain dumps are top notch.
Great video! A quick note in case it helps, there is a bumping sound on the left channel of the audio on your videos and is more noticeable wearing headphones. Depending on the source of the sound, a pop filter or shock absorbing mount for your mic would make your video as pleasing to listen to as it is to watch. 😊
Thanks! hopefully it won't be an issue from the next videos.
@@PwnFunction I'm looking forward to them!
these videos look so aesthetic
Can you share the electron app and the raw payload so all of us could try the step by step practically ?
Thanks for the good video (Y)
Soo much to learn from you , Hats off Dude
Great work guys. Simple put.
Crazy.... You guyz are awesome.. loved it..
❤️ From 🇮🇳
this is amaaazing do more please . also doing course on youtube would be cool
Your videos are very good, keep it like that!
really enjoy your videos :) may I ask what you use for the graphical parts of your videos? looks really cool
Adobe Animate
Wonderful! Great content! :-)
Great video!!! Thanks for sharing. +1 like and subscriber
This is why Discord Desktop is stupid
Nice i learnt something todayy
Had to happen some day.
Nice vid man
awesome video! which software do you use for drawing lol
he said he uses Adobe Animate 2021 in a reply to a comment under one of the binary exploitation videos
bro dammm that was just perferccttttt
"It was basically an API?" sure looks a lot like OpenID Connect to mee :D
Loved it ❤
Hi nice video, but I am still a bit confused. what if you have a desktop application only? Is it still advised turning it off? because if you turn it on you can use the desktop API stuff. Also if you don't keep user personal stuff in the localstorage you should be fine right? also if your app is not a server then you are also set to go right?
In short, enforce that you can't get simple XSS with content security policy and you can be pretty safe with node integration, but secure electron apps are still tricky, prefer defense in depth and try to stick to defaults.
The current recommendation is use the IPC modules to get the main process to do everything interesting, but they are a bit fiddly, and you're still on the hook for the exposed IPC protocol to not allow bad stuff, eg no read-file request!
I love this channel
This channels got me paranoid man
Sir please make more vedios like this 🙏🙏
Wow great job !!
btw discord and element has their developer tols enaled btw
almost all have devtools on lmao
Nah, they disabled it. It works on ptb and canary tho
Really well done!
I guess I'm a little confused as to how we're able to validate anything you're saying if you won't even tell us the name of the platform involved. I could make a few videos where I find security holes in a fabricated web app too.
I love it!
I knew this was gonna be discord from the title
Name a best alternative secure like javafx which I am aware. Which I also aware decompiled easy or use Obfuscate. I need a secure non reverse engineerable application. Can anybody give good advice
Nice job :) great !
Nice video. Can you share the final message that you sent it in the last? I did not understand how to bind client/access tokens, UID, GUID and RCE payload together?
So, people had the *BRILLIANT* idea to shove a dedicated browser (Chromium, no less) running a web-app with system-level hooks and extensibility, alongside the forceful system integration known as NodeJS (doing things we shouldn't be doing since the turn of the century, woo) into the general userspace and call it a proper program, all while patching none of the existing vulnerabilities out nor addressing the issue of *running a dedicated Chrome install with system hooks and permissions layered with NodeJS* and calling it """efficient""", god forbid performant.
Fast-forward two to three years, and I want to put my head through a brick wall. Not only are pseudo-apps (my own little term for them, since they forcibly try to be something they're not) disturbingly commonplace, but people think that they're a valid gateway for the cross-compatibility angle that people seem to be focused on at the moment. Putting aside the fact that the world's web infrastructure is sadly immature and even prehistoric in certain areas, disregarding the fact that you're combining some of the most broken, forcibly-mutated, and ultimately vulnerable software into something that it isn't, and deploying it into an ecosystem where it doesn't belong, it's just utterly lazy and convoluted. Rather than focusing all of that energy and experimentation on developing legitimate cross-platform libraries and systems, people prefer to make a bloated web-app and have it run using a web browser specifically installed for that one program, then lazily craft C# hooks for pulling system resources and actions into the mix.
Sorry for the rant, but goddamn, I'm tired of this craze. It's wrong, it's lazy and yet convoluted, and it's the incorrect approach. Evolution of systems begins by expansion and extrapolation, not by brute-forcing what's comfortable to many people (JS) into areas that shouldn't be involved (desktop development, systems-level I/O, etc.).
Electron is way safer now then it used to be, and the so called "pseudo-apps" are very popular, Slack, VSCode, Postman, Skype and Discord, are built using electron, it's easy to make an unsafe app, but that's the thing, a good developer knows about the bad and builts accordingly.
Your whole rant is weak and you should research a little about where JS is involved because believe it or not, JS is used for the frontend of the Dragon Crew Interface and it's used widely in embedded.
Are there safer choices? Definitely. Are there faster choices? Of course there are. The reason why javascript is used everywhere is because it's fast, secure enough that only a beginner would expose it's app to high vulnerabilities and it's good a big community, the biggest I would say.
So inform yourself sir.
But how are soydevs going to impress their mommies if they need to learn everything from the ground up to make their little apps? They need frameworks to build bloated websites which take an eternity to load and they need to build slow apps with lots of cute buttons. Are you suggesting people actually LEARN the os apis and use some C to make things secure and fast? Luddite!
@@user-he4ef9br7z I'm saying that you could very well re-invent the wheel, but you most probably are not going to and if you are then yes you're going do it your way but by the time your wheel is rolling, everyone else is way ahead of you.
@@rodpadev Doing it your way used to be what programming was about. If you don't need to learn much to build stuff and just use a framework built by a mega large corporation, in turn making things slow, memory intensive and less secure, it might be time to question whether you're more of a consumer than a creator. Sure, some cooking website startup can afford to download a bloated framework, but in places where what you write actually matters, like embedded, robotics, space exploration, military, cryptography, let's just say you ain't gonna be using typescript. It's not about reinventing the wheel, it's about making the product vs using a product.
Good content but the public prefer no 0 days with out information, is better fresh patches cases but with the details
That was a bit unspecific, is there a writeup?
Nice! Thanks
You can use 7zip to decompress the asar file
heyyy u guys awesome ...
You are lit bro
What OS are you using?
@k4b00m yes but what distro? 😂
Windows at the moment, but I'll be getting a mac soon.
Can I make hackerrank type platform in my own website using this?
2020 still watching
You are a great tutor
I wonder how do you know so much I have just started in hacking and I feel so over this if I don't find a vulnerability, so can you tell me how you started
found it a littlebit dishonest to say that it works "just by visiting a message in the browser" when it actually is the application running in the background that is the issue.
what app you used to create this video
He used adobe animate cc
Nice one guys ;)
Very good video.
so how can one avoid this??
Great video but I will appreciate if you upload the used resources (exploit and volun app)
I'll keep that in mind for the next video.
Let's destroy notion and discord.
+__+ Awesome Video make more
nice
Yaaasss
"decomiple"
wow.. thanks microsoft : )
is it just me or is the audio fk*d up? so painful listening to it..
like the mic has a broken wire or something
True
Anyone Tauri gang?
I SAID THIS TO MY FRIEND BEFORE =) HAHA
i always knew electron apps were not to be trusted!
Need more detail
Yeah. Like what service this even is targeting, in what other ways it was broken that led to this, and how those items were eventually fixed.
betterdiscord is cooler
Anddddd this video is useless now by just don't (nodeIntegration: false) & use new feature called contextBridge in Electron ........ PEACE SON!!
This is literally worthless. Stop spreading misinformation.
It’s not.
You seem to not know what you are saying.
If you're going to say something is "misinformation", you have to explain WHY its misinformation. Otherwise we will assume that, at best, you don't know what you're talking about. Or, at worst, you are intentionally deceitful.