Discovered Monday past times the same squad of safety researchers, the newly discovered vulnerability poses the same threat equally the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app simply past times sending them a message—without requiring whatever user interaction.
To empathize to a greater extent than most the start code injection vulnerability (CVE-2018-10994), yous tin ship away read our previous article roofing how researchers notice the Signal flaw too how it works.
The exclusively divergence betwixt the 2 is that the previous flaw resides inward the component division that handles links shared inward the chat, whereas the novel vulnerability (CVE-2018-11101) exists inward a dissimilar component division that handles the validation of quoted messages, i.e., quoting a previous message inward a reply.
If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it volition automatically execute the payload, without requiring whatever user interaction.
Exploiting Signal Code Injection to Steal Plaintext Chats
Until at nowadays the proof-of-concept payloads used to demonstrate code injection vulnerabilities inward Signal were express to embedding an HTML iFrame, or image/video/audio tags onto the victim's desktop app.
However, researchers convey at nowadays managed to arts and crafts a new PoC exploit that could allow remote attackers to successfully pocket all Signal conversations of the victims inward the plaintext simply past times sending them a message.
This hack literally defeats the role of an end-to-end encrypted messaging app, allowing remote attackers to easily acquire the concur on users' plain-text conversations without breaking the encryption.
Attackers Could Possibly Steal Windows Password As Well
What's worse?
In their weblog post, the researchers equally good indicated that an assailant could fifty-fifty include files from a remote SMB part using an HTML iFrame, which tin ship away endure abused to pocket NTLMv2 hashed password for Windows users.
"In the Windows operative system, the CSP fails to forbid remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript tin ship away endure achieved past times referencing the script inward an SMB part equally the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and too therefore replying to it," the researchers explain.Though they haven't claimed anything most this shape of attack, I speculate that if an assailant tin ship away exploit code injection to strength Windows OS to initiate an automatic authentication amongst the attacker-controlled SMB server using unmarried sign-on, it would eventually manus over victim's username, too NTLMv2 hashed password to the attackers, potentially allowing them to hit access to the victim's system.
We convey seen how the same laid on technique was latterly exploited using a vulnerability inward Microsoft Outlook, disclosed terminal month.
I tin ship away non verify this claim at this moment, but nosotros are inward contact amongst few safety researchers to confirm this.
Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, too Matt Bryant—responsibly reported the vulnerability to Signal, too its developers convey patched the vulnerability amongst the unloosen of Signal desktop version 1.11.0 for Windows, macOS, too Linux users.
However, The Hacker News has learned that Signal developers had already identified this number equally component division of a comprehensive create to the start vulnerability earlier the researchers establish it too reported them.
Signal app has an auto-update mechanism, therefore most users must convey the update already installed. You tin ship away read this guide to ensure if yous are running updated version of Signal.
And if yous don’t, yous should at nowadays update your Signal for desktop equally before long equally possible, since at nowadays the vulnerability poses a severe adventure of getting your hole-and-corner conversations exposed inward plaintext to attackers too farther severe consequences.
