Security News > 2023 > March > Supply chain blunder puts 3CX telephone app users at risk

Supply chain blunder puts 3CX telephone app users at risk
2023-03-30 20:36

Internet telephony company 3CX is warning its customers of malware that was apparently weaseled into the company's own 3CX Desktop App by cybercriminals who seem to have acquired access to one or more of 3CX's source code repositories.

You bundle in the Electron toolkit and program the bulk of your app in JavaScript, HTML and CSS, as if you were building a website that would work in any browser.

If you've ever wondered why popular app downloads such as Visual Studio Code, Zoom, Teams and Slack are as big as they are, it's because they all include a build of Electron as the core "Programming engine" for the app itself.

While you're probably familiar with the code that makes up the unique parts of your own app, and you're no doubt well-placed to review all the changes from one release to the next, it's much less likely that you have the same sort of familiarity with the underlying Electron code on which your app relies.

Just removing the 3CX app is not enough to clean up, because this malware can itself download and install additional malware.

The company says: "We strongly suggest that you use our Progressive Web App instead. The PWA app is completely web-based and does 95% of what the Electron app does. The advantage is that it does not require any installation or updating and Chrome web security is applied automatically." Wait for further advice from 3CX as the company finds out more about what happened.


News URL

https://nakedsecurity.sophos.com/2023/03/30/supply-chain-blunder-puts-3cx-telephone-app-users-at-risk/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
3CX 6 0 16 8 6 30