One of the most secure messaging app considered Signal recently discovered a dangerous XSS (cross-site scripting) framework vulnerability in their desktop versions, by the accident.
The vulnerability was found when Iván Ariel Barrera Oro, Alfredo Ortega, and Juliano Rizzo were chatting about the other XSS vulnerability via Signal. Two men were using the desktop version while the third – Signal’s extension for Google Chrome. Suddenly, Oro noticed the icon showing ‘picture not found’ next to the URL sent from Chromes add-on, which meant that the XSS was triggered in the desktop version. Later the trio tested this discovery on other platforms (Linux, Windows, Mac) which all were susceptible.
Iván Ariel Barrera Oro wrote:
We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack.
Inside iframes, everything was possible, even loading code from an SMB share!. This enables an attacker to execute remote code without caring about CSP.
This XSS vulnerability was solved fairly quickly, only a couple hours after the report, and yet hasn’t caused any major problems. Still, this is a pretty shameful mistake for a software that Edward Snowden himself recommends. Luckily it did not affect the message encryption processes.
Later analysts shared that this problem was originally found earlier and even got patched, but during an update in April, was removed to fix linking issues. Not the most logical solution of Signal’s security team to choose the lesser evil from two instead of fixing both, but ‘patching’ team had been dealing with a lot of issues these past few months already: Deleted Signal messages getting stored in Mac’s OS, Bug allowing to bypass the Screen Lock, Another framework issue used by Skype and a few others.
Hopefully, Signal’s specialists will manage to resolve these problems with more permanent solutions because doubtfully high-level privacy demanding clients will tolerate never-ending “Oops, I did it again” updates.
Source: Https://ivan.barreraoro.com.ar/.
