A recent vulnerability in the Signal messaging application that enables encrypted communication between parties, could have enabled attackers to arbitrarily remotely execute code on the victim’s device without any user interaction.
Security researchers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo accidentally triggered the vulnerability while exchanging URLs that contained various XSS (cross-site scripting) payloads. Combined with iframes, attackers could leverage the vulnerability to execute arbitrary code on the victim’s device.
“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack,” wrote Iván Ariel Barrera Oro on his blog. “Inside iframes, everything was possible, even loading code from an SMB share! This enables an attacker to execute remote code without caring about CSP.”
Hours after the vulnerability was disclosed to the Signal team on May 15, a patch was released. Interestingly, researchers noted that the regex function used to validate URLs existed in previous versions of the Signal desktop app, but might have been accidentally removed in an April 10 build.
“However, the patch caught my attention: it was a big regex and I was surprised how fast they wrote it. So I decided to check on the file’s history to observe since when it has been vulnerable and I found this wonderful mistake: the applied “patch” already existed, but was (accidentally?) removed in a commit on April 10th to fix an issue with linking (I guess the issue is back ). I’m still not convinced about that regex and I’m afraid someone might exploit it, especially those resourceful three-letter agencies…”
Everyone is strongly encouraged to use the latest Signal build to make sure threat actors cant’s exploit the vulnerability.