This research has been presented at:

The backstory

In 2019 I wrote a blog post about injecting code to Electron apps to impersonate their TCC permissions. The trick was really simple because at that time the only thing an attacker had to do was to modify one of the Electron app’s HTML files or the whole ASAR. In macOS Ventura, this trick stopped working as the app protection mechanism has been introduced.

app protection

This mechanism broke my simple Electron injection technique so it was time to figure out something new…

TCC inheritance problem

TCC is now a much bigger mechanism than it was before. As we all know, complicity usually indicates vulnerabilities. One such example is the inheritance of privacy privileges (look at: CVE-2020-10008). What happens when an entitled process spawns a child that wants to access something? Or if a process has a completely separate privileged helper that wants to access your desktop for example? Who should be then responsible for that action - the parent or the child?

As I’m not going to update this post in the future, please keep in mind that the TCC inheritance may change in the future. On macOS Sonoma, generally speaking, situation looks as follows:

Electron apps are in the second group so if we make our target Electron app spawn a malicious process - we would be able to inherit its TCC permissions.

--inspect flag for the rescue

Turns out that Electron has a debugging feature that we may trigger by setting a --inspect flag. Before we do so it’s important to verify if the targeted app respects it:

$ npx @electron/fuses read --app /Applications/
Analyzing app:
Fuse Version: v1
  RunAsNode is Enabled
  EnableCookieEncryption is Disabled
  EnableNodeOptionsEnvironmentVariable is Enabled
  EnableNodeCliInspectArguments is Enabled
  EnableEmbeddedAsarIntegrityValidation is Disabled
  OnlyLoadAppFromAsar is Disabled
  LoadBrowserProcessSpecificV8Snapshot is Disabled

If EnableNodeCliInspectArguments is enabled it means that we can use the --inspect flag to turn on DevTools API available on a local web socket. Accessing this API with a chromium-based browser allows us to execute arbitrary JavaScript code in the context of the targeted Electron app. Using the following JavaScript code we can spawn a child process that will inherit our Electron’s app TCC permissions:

const exec = require('child_process').exec;

You may ask what if EnableNodeCliInspectArguments is disabled? - Well, injecting to old vulnerable versions still works.



I decided to write a tool that automates the above-mentioned steps and has some predefined JavaScript scripts embedded to make exploitation even easier. It’s called electroniz3r and it is available on my Github -

Take a look at the demos below.

Teams vs electroniz3r

Visual Studio Code vs electroniz3r