close search bar

Sorry, not available in this language yet

close language selection

Bad Signal gets quick fix

Bad Signal gets quick fix

It looked like a bright spot in a gloomy week for the encrypted messaging app Signal. And it was, in fact, a positive thing—a patch for a serious XSS (cross-site scripting) vulnerability that the company made available only hours after a public report of the problem. It just wasn’t quite as bright a moment as it initially appeared.

But first, the problem—actually problems, since there were more than one. Multiple news outlets reported this past week that researchers had discovered a serious XSS vulnerability affecting all desktop versions of Signal—for Mac, Windows, and Linux.

It did not affect the mobile app. Still, word of anything that undermines Signal’s application security is obviously not the kind of publicity sought by a company that offers a virtual guarantee of secret communication.

And Signal is an industry darling of sorts, for its protocols, encryption scheme, and general integrity. Endorsements on its homepage come from the likes of NSA whistleblower Edward Snowden and cryptography guru and blogger Bruce Schneier.

But one of the researchers, Ivan A. Barrera Oro, wrote that an attacker posing as a contact could exploit the desktop client to send a message containing a malicious URL to set up a range of code-injection compromises using image, audio, or iframe tags—even if the victim did nothing more than participate in the conversation.

And Swati Khandelwal, writing in The Hacker News, pointed out that was just the first flaw, now identified as CVE-2018-10994.

The second, discovered just days later and now identified as CVE-2018-11101, “exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.

“In other words, to exploit the newly patched bug on vulnerable versions of [the] Signal desktop app, all an attacker needs to do is send a malicious HTML/JavaScript code as a message to the victim, and then quote/reply to that same message with any random text,” Khandelwal wrote.

This, she noted, “could allow remote attackers to successfully steal all Signal conversations of the victims in plaintext just by sending them a message…without breaking the encryption.”

Indeed, that is perhaps the most pernicious element of the vulnerability—an attacker doesn’t even need to defeat the encryption. Travis Biehn, technical strategist at Synopsys Software Integrity Group, said that “the XSS weakness would permit an attacker to bypass encryption and integrity controls—to access message contents.”

“That’s an important distinction,” he said. “You haven’t attacked the encryption scheme. Which is every attacker’s favorite way to get around encrypted data—just attack around it.”

The good news is that, almost unbelievably, a fix was available only three hours after Signal acknowledged the latest report. But wasn’t quite the uber-rapid response that it may have appeared to be.

John Dunn, writing on the Naked Security blog, pointed out that the fix “had originally been part of an update in mid-April that wasn’t applied for reasons unknown.”

What caused such a critical defect?

Biehn said it is that the Signal desktop app is built on Electron, a software framework created by GitHub and used by Skype, Slack, Discord, Twitch, Basecamp,, and numerous others. Vulnerabilities in Electron were reported in January and then just this past week.

He said because the Electron platform uses web technology, such as JavaScript and HTML, to present its interface, “Electron-based desktop apps inherit many of the problems experienced by modern-day web applications. This is what stung the Signal desktop app.”

And it is a stark illustration of the need for app developers to, as Biehn put it, “complete web AppSec domain security analysis on Electron platform-based desktop applications.”

Still, the bottom line is that the informal “system” between researchers and app developers that allows them to discover and patch vulnerabilities worked relatively well in this case.

The researchers notified Signal of the vulnerability, which the company patched with the release of desktop version 1.11.0 for Windows, macOS, and Linux.

Dan Goodin of Ars Technica reported that Signal issued a statement that read: “We would like to thank the researchers who contacted us about this issue. Version 1.11.0 resolves the issue and was released on Monday.”

And since the Signal app has an auto-update mechanism, it is likely already installed for most users. Any users who aren’t sure can check here. If you don’t have it—update immediately.

Biehn said that “given the excellent hygiene generally exhibited by Signal, we expect that they will adopt best practices known to web app developers.”

Those include:

  • Static analysis, which is designed to spot bugs and defects in software code without running or executing it.
  • Software composition analysis, which audits open source and third-party code for compliance and security.
  • Dynamic analysis, which uses penetration testing while applications are running to simulate an attack by a skilled hacker.

In short, “building security in” to software during the development cycle can eliminate major headaches like an XSS vulnerability when a product is in commercial use

Make sure your software security initiatives are in sync

Get started

Taylor Armerding

Posted by

Taylor Armerding

Taylor Armerding

Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.

More from Security news and research