- Apps make Slack a more productive and enjoyable place to get work done. Let’s not also forget that super amazing features, like the Events API and message buttons, are exclusive to apps. If you want to create an app and install it on your team – but are new to Slack’s OAuth process – this tutorial is for you.
- Try Slack for free with your teammates. All it takes is an email address to get started.
Chromium.slack.com is a virtual meeting place where Chromium developers can foster community and coordinate work. With so much geographic and organizational diversity in our team, making it easy to have “hallway conversations” in a public online forum like chromium.slack.com helps keep everyone in the loop.
LAS VEGAS—The Electron development platform is a key part of many applications, thanks to its cross-platform capabilities. Based on JavaScript and Node.js, Electron has been used to create client applications for Internet communications tools (including Skype, WhatsApp, and Slack) and even Microsoft's Visual Studio Code development tool. But Electron can also pose a significant security risk because of how easily Electron-based applications can be modified without triggering warnings.
At the BSides LV security conference on Tuesday, Pavel Tsakalidis demonstrated a tool he created called BEEMKA, a Python-based tool that allows someone to unpack Electron ASAR archive files and inject new code into Electron's JavaScript libraries and built-in Chrome browser extensions. The vulnerability is not part of the applications themselves but of the underlying Electron framework—and that vulnerability allows malicious activities to be hidden within processes that appear to be benign. Tsakalidis said that he had contacted Electron about the vulnerability but that he had gotten no response—and the vulnerability remains.
While making these changes required administrator access on Linux and MacOS, it only requires local access on Windows. Those modifications can create new event-based 'features' that can access the file system, activate a Web cam, and exfiltrate information from systems using the functionality of trusted applications—including user credentials and sensitive data. In his demonstration, Tsakalidis showed a backdoored version of Microsoft Visual Studio Code that sent the contents of every code tab opened to a remote website.
AdvertisementIt’s not a bug, it’s a feature
Slack Electron Configuration
The problem lies in the fact that Electron ASAR files themselves are not encrypted or signed, allowing them to be modified without changing the signature of the affected applications. A request from developers to be able to encrypt ASAR files was closed by the Electron team without action.
Code inserted into the ASAR can run either within the application's context or within the context of the Electron framework itself. Application code is 'plain old JavaScript,' Tsakalidis explained, capable of calling Electron's operating-specific modules—including microphone and camera controls, as well as operating system interfaces. Code injected into Electron's internal Chrome extensions can allow attackers to bypass certificate checks, so that, while code may still force communications over HTTPS, an attacker can use a self-signed certificate on a remote system for exfiltration. And Web communications can be altered or completely blocked—including applications' updating features, which would prevent new versions from being automatically installed, displacing the backdoored application.
Tsakalidis said that in order to make modifications to Electron apps, local access is needed, so remote attacks to modify Electron apps aren't (currently) a threat. But attackers could backdoor applications and then redistribute them, and the modified applications would be unlikely to trigger warnings—since their digital signature is not modified.
Package Details: slack-electron 4.14.0-1
Package Actions
- View PKGBUILD / View Changes
Git Clone URL: | https://aur.archlinux.org/slack-electron.git (read-only, click to copy) |
---|---|
Package Base: | slack-electron |
Description: | Slack Desktop (Beta) for Linux, modified to use the system 'electron' package instead of its own |
Upstream URL: | https://slack.com/downloads |
Keywords: | |
Licenses: | custom: Slack |
Conflicts: | slack-desktop |
Provides: | slack, slack-desktop |
Submitter: | whiredplanck |
Maintainer: | yurikoles |
Last Packager: | yurikoles |
Votes: | 11 |
Popularity: | 1.24 |
First Submitted: | 2020-07-05 17:00 |
Last Updated: | 2021-04-02 10:32 |
Dependencies (2)
- electron(electron-ozone, electron-beta-bin, electron-nightly-npm)
- libappindicator-gtk3(libappindicator-gtk3-ubuntu, libappindicator-bzr)(optional) – for notification indicator in the status bar on GNOME
Sources (2)
djmattyg007 commented on 2021-04-24 01:04
The latest update has made the PKGBUILD significantly more difficult to review.
Slack Electron Technology
Why were all references to 'slack' updated to '${_product}'? It's longer to write and more difficult to read.
Can you please update the slack.sh bin script to use '#!/bin/bash' instead of '#!/bin/sh'? Pacman has a hard dependency on bash, so everyone will always have it installed. There's no reason to use '#!/bin/sh' on an Arch Linux system.
pychuang commented on 2021-04-21 20:05
@Koffiepoeder It's working for me. I'm using Sway and simply executed slack --enable-features=UseOzonePlatform --ozone-platform=wayland
.
hpstg commented on 2021-04-21 14:23
Still cannot login with the latest PKGBUILD, which looks to have the changes integrated. This is under X11 in Gnome.
Electronjs Example
Koffiepoeder commented on 2021-04-21 09:48
For those wondering, using this version to get slack to run under wayland did NOT work for me (i.e. changing /user/bin/slack
with the chromium flags --enable-features=UseOzonePlatform --ozone-platform=wayland
). Kind of expected, but at least worth a try.
pychuang commented on 2021-03-19 18:52
@mvdan A request for making it an orphan package is already pending. Once the request goes through, other users can take over the package and push new changes.
mvdan commented on 2021-03-19 14:46
What can be done to get this package updated and/or integrate @qubidt's changes?
qubidt commented on 2021-02-10 15:52
Updated the PKGBUILD to fix the issues others mentioned. Also updated slack versions and moved the installation directory to /usr/lib
to make it more consistent with other electron packages. Not sure which change specifically fixed the issue but I can 'sign in' successfully now.
Slack Electrons
slack-electron
AUR diff:
crabvk commented on 2021-02-02 17:38
Slack Electron 12
I had the same problem. Then I quit my job and removed slask. Problem solved.
brando56894 commented on 2021-02-02 14:36
This one won't login for me, after I click 'Sign In' it brings me to the website which then tells me to login, which I do, then it tells me it wants to open Slack, and when it does it just opens a new instance telling me to sign in.
Slack Electron Github
I removed this version and installed slack-desktop and it worked perfectly the first time.
djmattyg007 commented on 2021-01-28 03:44
Using '#!/usr/bin/env sh' in the shebang is pointless, because bash is a hard dependency of pacman. Everyone will always have it installed, so you may as well just refer directly to /bin/bash.