Open Whisper Systems quickly patched two variants of a vulnerability in Signal Desktop that allowed an attacker to remotely execute code on a user’s system via special messages, known as remote code execution or rce.
The second and newest variant, with attribute CVE-2018-11101, is described in a blog post by security researcher Matthew Bryant. He found out based on previous research by others that it is possible to send a user of the desktop version of Signal a message with HTML content. If the attacker then quoted this message, the content was perceived as HTML code by the desktop application. This made it possible, for example, to run code on the user’s system via an iframe. The latest version 1.11.0 of Signal Desktop contains a patch that was implemented by the researcher within hours of the report.
Bryant’s findings resemble those of researchers Alfredo Ortega, Iván Ariel Barrera Oro and Juliano Rizzo, who published details of a similar cross-site scripting leak in Signal Desktop earlier this week. They discovered the first variant of the vulnerability when they examined an Argentine government site for vulnerabilities and communicated with each other through Signal’s desktop client, which is based on the Electron framework. They noticed that a vulnerability in the site also existed in the desktop client. Their variant, identifier CVE-2018-10994, also used HTML tags to run code, but without the need to quote the message. Even then, the Signal team managed to close the leak within hours.
The mobile version of the chat app was never affected by these vulnerabilities, which worked on different desktop operating systems.
Demonstration of the second variant