A security researcher has discovered a severe vulnerability in the popular end-to-end encrypted Signal messaging app for Windows and Linux desktops which could allow remote attackers to execute malicious code on recipients system just by sending a message—without requiring any user interaction.
Although technical details of the vulnerability have not been revealed as of now, the issue appears to be a remote code execution vulnerability in Signal or at least something very close to persistent cross-site scripting (XSS) which eventually could allow attackers to inject malicious code onto targeted Windows and Linux systems.
“I can confirm that this bug did not exist before and was last introduced because the devs forgot why there was a regex there to begin with. I would like to recommend a comment to this comment if it is not repeated again (TBD),” Ortega’s friend Mr. Ivan confirms.
At this moment, it is not clear if the vulnerability resides only in the source code of Signal or in the popular Electron web application framework, the technology on which Signal desktop applications are based.
If the flaw resides in the Electron framework, it might also impact other widely-used desktop applications as well, including Skype, WordPress, and Slack, which also use the same framework.
Moreover, the infosec community is also worried that if this flaw allows remote attackers to steal their secret encryption keys, it would be the worst nightmare for Signal users.
The good news is that the Open Whisper Systems has already addressed the issue and immediately released new versions of Signal app within a few hours after receiving the responsible vulnerability disclosure by the researcher.
The vulnerability has been patched in Signal stable release version 1.10.1 and pre-release version 1.11.0-beta.3. So, users are advised to update their Signal for desktop applications as soon as possible.
The latest release also patched a recently disclosed vulnerability in Signal for desktop apps which was exposing disappearing messages in a user-readable database of macOS’s Notification Center, even if they are deleted from the app.