<div style="margin:20px 0 0 200px"> To view the site, enable JavaScript by changing your browser options, then <a href="">Try Again</a>.</div>
A severe vulnerability in Signal desktop app allowing hackers to steal chats in plaintext without any user interaction
21 May, 2018

Signal is one of the most trusted end-to-end encrypted messaging app used by millions. Vulnerabilities in Signal messaging app are getting exposed back to back. A team of white hat hackers has revealed a code injection vulnerability that could have been exploited by remote attackers to inject a malicious payload inside the signal desktop app running on the recipients' system just by sending them a specially crafted link- without requiring any user interaction.

The vulnerability was discovered accidentally when Iván Ariel Barrera Oro, Alfredo Ortega, and Juliano Rizzo were chatting on Signal messenger app. When one of them shared a link to a vulnerable site with an XSS payload in its URL, it unexpectedly got executed on the Signal desktop app. XSS or commonly known as cross-site scripting attack is a popular attack vector that allows attackers to inject malicious code into a vulnerable web application.

"The critical thing here was that it didn't require any interaction with the victim, other than simply being in the conversation. Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action. And it is platform independent" – stated the blog post. However, the vulnerability was immediately patched by Signal.

For the second time in less than a week, the same team of security researchers discovered another severe vulnerability in Signal messaging app. The newly discovered vulnerability poses the same threat except the fact that the new vulnerability exists in a different function that handles the validation of quoted messages, i.e. quoting a previous message in a reply.

Exploiting the newly patched bug on a vulnerable version of the app is just a piece of cake. All an attacker needs to do is, send a malicious HTML/Javascript code as a message to the victim and then quote/reply to that same message with any random text. If the victim receives the quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload. The scariest part is, the whole process does not need any user interaction. Researchers have also managed to craft a new PoC exploit that could allow remote attackers to successfully steal all conversations on Signal of the victim in plain text just by sending them a message. The purpose of end-to-end encryption fades here as the remote attackers are getting hold of the personal messages without even breaking the encryption.

The researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.

"In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: iframe src=\\DESKTOP-XXXXX\Temp\test.html and then replying to it," the researchers explained.

In a statement, Signal officials wrote: "We would like to thank the researchers who contacted us about this issue. Version 1.11.0 resolves the issue and was released on Monday."

Signal app has an auto-update mechanism that enables users to get the updated version installed automatically. Ensure that you are using an updated version of Signal for desktop unless you want someone else to get hold of your personal information or chats through plain text. Knowing that even trusted software can be hacked, it is also advised that users need to maintain a measured level of paranoia rather than placing blind trust in encryption. It's probably safer to run these apps on mobile devices because those platforms have application sandboxing that prevents them from interacting with as many resources as their desktop counterparts. And, of course, people should always remember that no form of encryption will be able to save us when one of the endpoints is compromised.

Read Other Articles

Read All Articles »

Hacking Tools

Explore All Hacking Tools »
UFTP - UDP based FTP with encryption
UDP based FTP with encryption

UFTP is an encrypted multicast file transfer program for secure, reliable & efficient transfer of files. It also helps in data distribution over a satellite link.

Read Details

Breaking News

Breaking News Of Each Month »
Cyber Scam in the days of Coronavirus & Lockdown
Cyber Scam in the days of Coronavirus & Lockdown

The recent pandemic was unexpected and unknown to most part of the world. It has changed our life and we are slowly adapting to our new lifestyle. The risks associated with the new lifestyle, both personal & corporate, are unknown to most of us.

Read Details