A new security exploit has been discovered that lets attackers slip malicious code into widely used desktop applications including Signal, 1Password, Slack, and Google Chrome by evading built-in code integrity checks.
The vulnerability, tracked as Electron CVE-2025-55305, affects nearly every app built on the Chromium engine when they use Electron, a popular framework for making cross-platform desktop software with web technologies.
At Trail of Bits, security researcher Shadow examined how Electron’s integrity controls work. Electron provides “fuses” to verify that an app’s JavaScript files match exactly what the developer packaged.
These fuses—EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar—ensure no code can be added or changed without being detected.
But they do not cover V8 heap snapshots, a performance feature inherited from Chromium that loads precompiled JavaScript state into memory like thawing a frozen pizza.
Attackers can tamper with these snapshots to insert unsigned code, and the integrity checks ignore them.
By targeting heap snapshots, an attacker with write access to an app installation folder—often a user-writable location like %AppData%Local on Windows or /Applications on macOS—can backdoor any Electron-based application without needing to break code signatures.
When the app starts, the modified snapshot runs before any integrity checks, letting the attacker override core JavaScript functions.
Shadow demonstrated this by replacing Array.isArray with a gadget that executes arbitrary code. In one test, altering this function caused Slack to crash, proving unsigned snapshot code ran despite Electron’s integrity fuses.
Shadow then built proof-of-concept backdoors for Slack, 1Password, and Signal. For Slack, the payload loaded a keylogger into chat windows.
For Signal and 1Password, the attack could steal messages or vault data. The team responsibly reported the flaw to Electron’s maintainers, who swiftly issued a patch. 1Password fixed the issue in version 8.11.8-40. Signal and Slack have released updates as well.
“We were made aware of Electron CVE-2025-55305 through Trail of Bits responsible disclosure and 1Password has patched the vulnerability in v8.11.8-40. Protecting our customers’ data is always our highest priority,” said Jacob DePriest, CISO at 1Password.
This flaw highlights a wider risk for all Chromium-based software. Researcher Emilio Lopez extended the technique to backdoor Chrome and related browsers installed in user-writable folders.
Because Chrome’s threat model excludes local attacks, these backdoors could remain undetected while still passing code-signing checks.
To defend against these attacks, developers of Electron and Chromium-based apps should enable full integrity checks on heap snapshots or move snapshot files to read-only locations.
Users are advised to update Signal, 1Password, Slack, and other Electron apps to the latest versions without delay.
Secure code integrity must cover every component, including hidden performance shortcuts, to stop attackers from turning trusted applications into stealthy persistence tools.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
