Hackers Abuse Integrity Flaw to Compromise Signal, Slack, 1Password

In a striking demonstration of software supply chain risk, researchers at Trail of Bits uncovered a novel vulnerability—CVE-2025-55305—that enables attackers to locally backdoor Electron-based applications by tampering with V8 heap snapshot files.

This framework-level bypass impacts high-profile targets, including Signal, 1Password, Slack, and even Chrome derivatives.

By exploiting overlooked “frozen pizza” shortcuts in the V8 engine, adversaries can inject persistent, stealthy malware into signed applications without triggering integrity checks or code-signing failures.

Sponsored

class="wp-block-heading" id="heap-snapshot-tampering-the-invisible-backdoor">Heap Snapshot Tampering:

Electron applications leverage V8 heap snapshots to accelerate startup by deserializing a pre-initialized JavaScript context.

These binary snapshot files, however, are not classified as “executable” by Electron’s integrity fuses—EnableEmbeddedAsarIntegrityValidation and OnlyLoadAppFromAsar—nor by Chromium’s code-signing enforcement.

Consequently, an attacker with filesystem write access can overwrite a trusted application’s v8_context_snapshot.bin with a malicious version, bypassing both OS-level signature checks and Electron’s ASAR integrity validation.

By using Electron’s prebuilt mksnapshot tool, threat actors can embed JavaScript gadgets into heap snapshots that clobber V8 built-in functions—such as Array.isArray—to achieve arbitrary code execution in any V8 isolate.

For instance, overwriting Array.isArray A payload that logs keystrokes or spawns unauthorized processes demonstrates how unsigned code can execute undetected.

The simplicity of this technique allows attackers to establish stealthy persistence, evade endpoint detection (including CrowdStrike Falcon), and bypass application control policies like AppLocker.

Electron applications often install into user-writable directories (e.g., %AppData%Local on Windows or /Applications on macOS), making them ideal vectors for backdoor insertion without requiring privilege escalation.

Once loaded, the malicious snapshot executes on every subsequent launch, providing attackers with full access to both the renderer and main processes.

In the main process, Node.js APIs enable unconstrained file system access, network communication, and dynamic library loading.

Despite integrity-checking fuses being available, they are disabled by default and do not cover heap snapshots.

As a result, even security-conscious organizations like Slack, 1Password (patched in v8.11.8-40), and Signal were vulnerable until this flaw was responsibly disclosed and patched.

Electron maintainers worked swiftly to address the issue, underscoring the importance of comprehensive integrity mechanisms that include all forms of executable content.

Looking ahead, this vulnerability highlights a broader risk across Chromium-based applications.

Local attackers can exploit snapshot tampering to compromise browsers and derivative clients, bypassing the Chrome threat model that excludes physically local attacks.

To mitigate these risks, developers should enable and extend integrity checks to include heap snapshots and unsigned code loading—ensuring that any code deserialized into V8 isolates is cryptographically verified.

Organizations relying on Electron or Chromium-based software must audit their deployment configurations, apply patches promptly, and implement continuous integrity monitoring.

With snapshot-based backdoors now proven feasible, proactive defenses and a robust threat model are critical to safeguarding user data and maintaining trust in signed applications.

Find this Story Interesting! Follow us on Google News, LinkedIn and X to Get More Instant Updates

The post Hackers Abuse Integrity Flaw to Compromise Signal, Slack, 1Password appeared first on Cyber Security News.