Serious XSS vulnerability discovered in Signal

Researchers have discovered a serious cross-site scripting (XSS) vulnerability affecting all desktop versions of Edward Snowden’s favourite security application, Signal.

An XSS flaw is a nuisance in any application but in Signal, used by parties that want the highest levels of privacy, this is amplified.

An attacker posing as a contact could use the flaw to send a message containing a malicious URL to set up a range of code-injection compromises using image, audio or iFrame tags, or simply to make the software crash.

Researcher Iván Ariel Barrera Oro, the flaw’s co-discoverer, described how he had chanced upon the issue completely by accident:

The critical thing here was that it didn’t required any interaction from the victim, other than simply being in the conversation.

Which meant:

Inside iframes, everything was possible, even loading code from an SMB share! This enables an attacker to execute remote code without caring about CSP [Content Security Policy].

That’s not a compromise of the software’s end-to-end encryption, but it would be helpful to an attacker trying to trick a would-be victim into giving up information about themselves.

Designated CVE-2018-10994, the flaw affects all desktop versions (Windows, Mac, Linux) but not the mobile Android or iOS apps. The vulnerable versions are v1.7.1, v1.8.0, v1.9.0, and v1.10.0, fixed by upgrading to v1.10.1 or v1.11.0-beta.3.

A curious aspect of this flaw discovery is how quickly it was resolved – around three hours from an acknowledgement of the report to a fix.

After studying the file used to apply the patch, the researchers noticed it had originally been part of an update in mid-April that wasn’t applied for reasons unknown.

Signal’s patching crew have been busy recently. In April, a researcher discovered a way that someone with physical access to a device running the iOS version could bypass the screen lock.

Only days ago, a separate flaw was discovered in the Mac desktop application in which some time-limited or deleted messages were being copied to the notifications buffer.

Then there was the whole issue of the vulnerability in the Electron framework also used by Skype, Slack, Discord and others.

Perhaps the biggest headache of all for Signal has been the change in the weather over domain fronting, a technique used to make Signal (and other apps) harder to censor at ISP level.

This led to a cease and desist from Amazon over Signal’s use of AWS.

Bugs can be fixed, but beating censorship remains a full-time job.

Update 2018-05-18

On 16 May the same researchers revealed another, related, XSS bug:

Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability.

CVE-2018-11101 can be resolved, like the earlier flaw, by upgrading to signal-desktop messenger v1.11.