Two classic web flaws found in privacy-focused app within a week

Basic vulnerabilities were discovered by accident twice within Signal Desktop this week, raising questions about the app’s security.

A cross-site scripting (XSS) bug which allowed remote code execution (RCE) was first disclosed by researchers who posted a video of the successful exploit on Twitter.

The researchers – Ivan Ariel Barrera Oro, Alfredo Ortega, and Juliano Rizzo – stumbled across the flaw in Signal’s desktop app.

By sending a message, an attacker could have taken complete control over a user’s system.

Signal is widely-used due to its robust privacy guarantees, and while this bug (CVE-2018-10994) did not affect the encryption directly, by taking control over the system an attacker could still access encrypted messages.

Researcher Matthew Bryant decided to try his luck at figuring out how the team pulled off the exploit, he said.

He reproduced the problem by “guessing”, Bryant tweeted, as at that point no proof-of-concept or report had been published.

However, instead of figuring out the original issue Bryant had actually uncovered another flaw in Signal’s security.

His attack (CVE-2018-11101) was also able to employ RCE on the desktop app, but using a different method.

Bryant wrote in a blog post: “I began playing around with the Signal Desktop app trying to get arbitrary HTML markup to be evaluated but it didn’t appear to be straightforward.

“After trying a few different fields (name, plain message, etc) I eventually found that if you created a message with HTML markup (say, <h1>Test</h1>), and you then did a Quoted Reply message to that message, the original markup would be evaluated as HTML!”

He added: “Upon reading the writeup I realized the researchers were just sending vanilla Signal messages which were being interpreted as HTML, and not the Quoted Replies that I had been using.

“As it turns out both were separate very similar vulnerabilities resulting in the same impact. Who could have guessed that?”

The original issue, discovered by the team of researchers, had already been patched, but didn’t protect against this new vulnerability.

Bryant disclosed his findings to Signal, who he said patched the issue “within hours”.

The original vulnerability was possibly already known about, the researchers noted, since it was due to be patched against in an April update, though this didn’t go ahead.

While Signal might be popular due to its robust cryptography and privacy for users, these findings were basic-level flaws open to be exploited by malicious actors with potentially serious consequences.

James Kettle, researcher at PortSwigger, said: “It's quite surprising to see such blatant vulnerabilities arising in security software of such pedigree.

“As well as being so obvious they were found by accident, the second one was introduced through unsafe use of a function called 'dangerouslySetInnerHTML' - hardly a subtle mistake.

“Everyone makes mistakes (us included) so it would be rash to judge Signal for this, but it makes me wonder if we'll be seeing more easy exploits in other apps in the future as Electron unleashes web vulnerabilities on unsuspecting desktop development teams.”