Hackers Reveal How Code Injection Attack Works in Signal Messaging App

signal-code-execution

After the revelation of the eFail attack details, it’s time to reveal how the recently reported code injection vulnerability in the popular end-to-end encrypted Signal messaging app works.

As we reported last weekend, Signal has patched its messaging app for Windows and Linux that suffered a code injection vulnerability discovered and reported by a team of white-hat hackers from Argentina.

The vulnerability could have been exploited by remote attackers to inject a malicious payload inside the Signal desktop app running on the recipients’ system just by sending them a specially crafted link—without requiring any user interaction.

According to a blog post published today, the vulnerability was accidentally discovered while researchers–Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL.

However, the XSS payload unexpectedly got executed on the Signal desktop app.

signal-flaw

XSS, also known as cross-site scripting, is a common attack vector that allows attackers to inject malicious code into a vulnerable web application.

After analyzing the scope of this issue by testing multiple XSS payloads, researchers found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.

Using this vulnerability, attackers can even inject a form on the recipient’s chat window, tricking them to reveal their sensitive information using social engineering attacks.

It had previously been speculated that the Signal flaw might have allowed attackers to execute system commands or gain sensitive information like decryption keys—but no, it is not the case.

The vulnerability was immediately patched by the Signal developers shortly after the proof-of-concept video was released by Ortega last weekend.

Code Injection Attack

The researchers also found that a patch (regex function to validate URLs) for this vulnerability existed in previous versions of the desktop app, but it was somehow removed or skipped in the Signal update released on 10th April this year.

Now, after knowing full details of the vulnerability, it seems that the issue is not a critical or dangerous one, as speculated.

So you can freely rely on Signal for encrypted communication without any worries. Just make sure the service is always up-to-date.

Leave a Reply

Your email address will not be published. Required fields are marked *