Recent developments have raised significant alarm for users of the Signal messaging application, known for its strong end-to-end encryption. For the second time in less than a week, the app’s desktop users are urged to update their software to mitigate yet another critical vulnerability, this time identified as a code injection flaw.
This vulnerability, reported by a team of security researchers on Monday, allows attackers to remotely inject malicious code into the Signal desktop application—a process that requires no interaction from the target user. The ability to execute such an attack stems from the vulnerability’s exploitation through a seemingly innocuous message.
Previous iterations of code injection vulnerabilities in Signal focused on how shared links were handled within the chat functions. The current issue, cataloged as CVE-2018-11101, concerns the validation of quoted messages, meaning that if an attacker sends a message containing harmful HTML or JavaScript and then replies to that message, they can trigger the execution of the malicious payload without the victim’s awareness or consent.
This new attack vector presents a stark challenge to the core premise of Signal’s encryption, as it allows attackers to access plaintext versions of user conversations without having to compromise the underlying encryption mechanisms themselves. Proof-of-concept demonstrations have previously been limited to embedding redirect scripts via HTML iFrames, but the current findings indicate that attackers could easily exfiltrate all conversations of the victims in plaintext by merely messaging them.
In a particularly concerning detail revealed by the researchers, it was suggested that attackers could further exploit this vulnerability to incorporate resources from remote SMB shares, thus potentially acquiring NTLMv2 hashed passwords from Windows users. This could lead to unauthorized access if an automatic authentication mechanism engages with an attacker-controlled server.
The vulnerability has significant implications for cybersecurity, as it demonstrates the potential of exploitation methodologies deployed in similar contexts. For instance, a technique resembling this was seen in a recent compromise involving Microsoft Outlook, suggesting that attackers may increasingly employ such strategies across various platforms.
Security experts Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant responsibly disclosed this issue to Signal, which has since released an updated version (1.11.0) for Windows, macOS, and Linux to address the vulnerabilities. While Signal employs an auto-update feature, users are advised to verify their application versions to ensure they are protected against this severe threat, which is exacerbated by the potential for plaintext exposure of sensitive conversations.
In light of these incidents, businesses relying on Signal for secure communications must remain vigilant about such vulnerabilities and continually assess their operational security postures. The MITRE ATT&CK framework identifies tactics such as initial access and exploitation as pertinent to understanding the mechanics behind these attacks. As cybersecurity risks evolve, diligence in software updates becomes paramount for safeguarding sensitive corporate communications.