Signal is one of the most trusted end-to-end encrypted messaging app used by millions. Vulnerabilities in Signal messaging app are getting exposed back to back. A team of white hat hackers has revealed a code injection vulnerability that could have been exploited by remote attackers to inject a malicious payload inside the signal desktop app running on the recipients' system just by sending them a specially crafted link- without requiring any user interaction.
The vulnerability was discovered accidentally when Iván Ariel Barrera Oro, Alfredo Ortega, and Juliano Rizzo were chatting on Signal messenger app. When one of them shared a link to a vulnerable site with an XSS payload in its URL, it unexpectedly got executed on the Signal desktop app. XSS or commonly known as cross-site scripting attack is a popular attack vector that allows attackers to inject malicious code into a vulnerable web application.
"The critical thing here was that it didn't require any interaction with the victim, other than simply being in the conversation. Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action. And it is platform independent" – stated the blog post. However, the vulnerability was immediately patched by Signal.
For the second time in less than a week, the same team of security researchers discovered another severe vulnerability in Signal messaging app. The newly discovered vulnerability poses the same threat except the fact that the new vulnerability exists in a different function that handles the validation of quoted messages, i.e. quoting a previous message in a reply.
The researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.
iframe src=\\DESKTOP-XXXXX\Temp\test.html and then replying to it," the researchers explained.
In a statement, Signal officials wrote: "We would like to thank the researchers who contacted us about this issue. Version 1.11.0 resolves the issue and was released on Monday."
Signal app has an auto-update mechanism that enables users to get the updated version installed automatically. Ensure that you are using an updated version of Signal for desktop unless you want someone else to get hold of your personal information or chats through plain text. Knowing that even trusted software can be hacked, it is also advised that users need to maintain a measured level of paranoia rather than placing blind trust in encryption. It's probably safer to run these apps on mobile devices because those platforms have application sandboxing that prevents them from interacting with as many resources as their desktop counterparts. And, of course, people should always remember that no form of encryption will be able to save us when one of the endpoints is compromised.