0

I am currently evaluating the security risks for an electron app I am working on, with regards to whether it is possible to copy a file, or bunch of files stored on the user’s hard drive by electron, and just paste them into another installation on another machine and thus automatically be logged into the application using the session of the user who was logged in on the first machine. We use token auth in our app.

I noticed that electron stores its cache in a particular folder as mentioned here How to clear the cache data in Electron(atom shell)?.

Among those files I noticed a 'Cookies' file which seems to be an sqliteDB. When you open this with an sqlite db reader you can view the cookie data as plain text. However this doesn’t seem to contain the auth cookie of the currently logged in user.

Hence some of the questions I’m hoping to get answers to are:

  1. When we log a user in the user’s auth token is stored in a cookie. Is this cookie stored in a particular file on the hard drive by electron which can be copied into another machine to spoof/hijack a user’s session?
  2. If the answer to question 1 is yes is there a way to prevent this?

I am not a pro on security, so forgive me if I've gotten some security terminology wrong.

Craig
  • 620
  • 6
  • 15
  • If the attacker had access to the user's machine they could use the user's installation of the application, there's no need to copy various files to another machine. If the attacker has access to the user's machine, they could plant a virus that modifies the installation to log entered passwords. Why is this particular vector something you believe is worthwhile mitigating in the first place? Don't let the attacker gain access to the user's machine, period. – Patrick Roberts Mar 12 '20 at 12:22
  • @PatrickRoberts Good point, someone had raised this security issue which seems to be in line with the issue mentioned here https://github.com/electron/electron/issues/7073. I guess maybe the fear is that if some malware gets a hold of the file storing the token and sends it to another location without the user knowing, in the background, it would make it possible to access the user's info without him/her knowing? Or some similar scenario? Do you think this is something not worrying about since once a system is compromised, it is compromised anyways and there's no way to really stop it? – Craig Mar 12 '20 at 13:11
  • 1
    Once the attacker has compromised the system, there are much worse things that can be done without the user knowing, than hijacking an application session. – Patrick Roberts Mar 12 '20 at 14:46
  • maybe these cites helpful: `tokens should be treated like passwords and protected as such.` though `Pattern detection and recognition through machine learning is a fantastic, modern way to handle some of these more complicated problems.` – john Smith Mar 13 '20 at 08:08

0 Answers0