Tsakalidis showed how the lack of basic encryption for Electron code leaves users vulnerable to hackers who inject back-door code into their sessions, which exposes their communications, filesystem, and cameras and mics to third parties.
These changes are harder to make in Macos or GNU/Linux systems (where admin access is required), but Windows systems are wide open.
To make things worse, Electron's team had previously rejected a user request for encryption to protect its files, and when Tsakalidis presented his work to them, they ignored him.
Tsakalidis has released a proof-of-concept tool called BEEMKA, a small Python program that can open Electron ASAR archive files and insert exploit code into them, exploiting apps and Chrome plugins built in the framework.
Tsakalidis said that in order to make modifications to Electron apps, local access is needed, so remote attacks to modify Electron apps aren't (currently) a threat. But attackers could backdoor applications and then redistribute them, and the modified applications would be unlikely to trigger warnings—since their digital signature is not modified.
Skype, Slack, other Electron-based apps can be easily backdoored [Sean Gallagher/Ars Technica]
Basic Electron Framework Exploitation [Pavel Tsakalidis/Context]