It looked like a bright spot in a gloomy week for the encrypted messaging app Signal. And it was, in fact, a positive thing—a patch for a serious XSS (cross-site scripting) vulnerability that the company made available only hours after a public report of the problem. It just wasn’t quite as bright a moment as it initially appeared.
But first, the problem—actually problems, since there were more than one. Multiple news outlets reported this past week that researchers had discovered a serious XSS vulnerability affecting all desktop versions of Signal—for Mac, Windows, and Linux.
It did not affect the mobile app. Still, word of anything that undermines Signal’s application security is obviously not the kind of publicity sought by a company that offers a virtual guarantee of secret communication.
And Signal is an industry darling of sorts, for its protocols, encryption scheme, and general integrity. Endorsements on its homepage come from the likes of NSA whistleblower Edward Snowden and cryptography guru and blogger Bruce Schneier.
But one of the researchers, Ivan A. Barrera Oro, wrote that an attacker posing as a contact could exploit the desktop client to send a message containing a malicious URL to set up a range of code-injection compromises using image, audio, or iframe tags—even if the victim did nothing more than participate in the conversation.
And Swati Khandelwal, writing in The Hacker News, pointed out that was just the first flaw, now identified as CVE-2018-10994.
The second, discovered just days later and now identified as CVE-2018-11101, “exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.
This, she noted, “could allow remote attackers to successfully steal all Signal conversations of the victims in plaintext just by sending them a message…without breaking the encryption.”
Indeed, that is perhaps the most pernicious element of the vulnerability—an attacker doesn’t even need to defeat the encryption. Travis Biehn, technical strategist at Synopsys Software Integrity Group, said that “the XSS weakness would permit an attacker to bypass encryption and integrity controls—to access message contents.”
“That’s an important distinction,” he said. “You haven’t attacked the encryption scheme. Which is every attacker’s favorite way to get around encrypted data—just attack around it.”
The good news is that, almost unbelievably, a fix was available only three hours after Signal acknowledged the latest report. But wasn’t quite the uber-rapid response that it may have appeared to be.
John Dunn, writing on the Naked Security blog, pointed out that the fix “had originally been part of an update in mid-April that wasn’t applied for reasons unknown.”
Biehn said it is that the Signal desktop app is built on Electron, a software framework created by GitHub and used by Skype, Slack, Discord, Twitch, Basecamp, WordPress.com, and numerous others. Vulnerabilities in Electron were reported in January and then just this past week.
And it is a stark illustration of the need for app developers to, as Biehn put it, “complete web AppSec domain security analysis on Electron platform-based desktop applications.”
Still, the bottom line is that the informal “system” between researchers and app developers that allows them to discover and patch vulnerabilities worked relatively well in this case.
The researchers notified Signal of the vulnerability, which the company patched with the release of desktop version 1.11.0 for Windows, macOS, and Linux.
Dan Goodin of Ars Technica reported that Signal issued a statement that read: “We would like to thank the researchers who contacted us about this issue. Version 1.11.0 resolves the issue and was released on Monday.”
And since the Signal app has an auto-update mechanism, it is likely already installed for most users. Any users who aren’t sure can check here. If you don’t have it—update immediately.
Biehn said that “given the excellent hygiene generally exhibited by Signal, we expect that they will adopt best practices known to web app developers.”
In short, “building security in” to software during the development cycle can eliminate major headaches like an XSS vulnerability when a product is in commercial use
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.