From the researcher who found it:<p><i>we were able to compile a list of strategic defense-in-depth recommendations for Signal Desktop which we’ve sent to the Signal security team per their request. At the end of the day there will always be new “hot” vulnerabilities, but the “vendor” response is generally what separates the wheat from the chaff. The Signal team’s quick patch time along with a strong interest in mitigating vulnerabilities of this type in the future was encouraging to see. I’ll remain a Signal user for the foreseeable future :)</i><p><a href="https://thehackerblog.com/i-too-like-to-live-dangerously-accidentally-finding-rce-in-signal-desktop-via-html-injection-in-quoted-replies/" rel="nofollow">https://thehackerblog.com/i-too-like-to-live-dangerously-acc...</a>
>Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.<p>>However, The Hacker News has learned that Signal developers had already identified this issue as part of a comprehensive fix to the first vulnerability before the researchers found it and reported them.<p>>Signal app has an auto-update mechanism, so most users must have the update already installed. You can read this guide to ensure if you are running updated version of Signal.<p>Seems everything is patched, and was already going to be patched before the vuln was reported.
Maybe secure chat clients shouldn't be written in JavaScript or other languages that have excessive dynamicness? Signal seems to be written mostly in languages that are bad for security (significantly worse than the best alternatives). Maybe I'm just a language nerd without any clue about the trade-offs, but I trust the Wire software more. Note that this just applies to mobile clients and server - Wire, like Signal, chose to build their desktop+webapp in JavaScript :(
In security less is more.<p>The more we try to make encryption mainstream, the more difficult it gets because the mainstream interacts with computers predominately via browsers. The mainstream won't adopt something that isn't highly similar to what a browser has to offer in terms of media richness (photos, videos, html), so you see Signal choosing technologies like Electron, a browser, to develop their native applications. The heart of what signal is and does well (encrypt, decrypt, authenticate) is dwarfed by a pile of code that was added to make signal usable by the mainstream. Desktop Signal, in terms of code and complexity, is no longer a security product -- it's an application with a web-like media experience that happens to tack on a very good library to do encryption and authentication.<p>As we all know, sometimes vulns are in broken crypto, but most of the time they're in a gotcha beneath a mountain of code.
I don't know if this is exploitable, but they are using many different methods to escape HTML content:<p><a href="https://github.com/signalapp/Signal-Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/components/mocha/mocha.js#L89" rel="nofollow">https://github.com/signalapp/Signal-Desktop/blob/d1f7f5ee8c1...</a><p>Then here it's a different function:<p><a href="https://github.com/signalapp/Signal-Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/components/mustache/mustache.js#L56" rel="nofollow">https://github.com/signalapp/Signal-Desktop/blob/d1f7f5ee8c1...</a><p>Then sometimes they use the underscore library to do it:<p><a href="https://github.com/signalapp/Signal-Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/components/backbone/backbone.js#L295" rel="nofollow">https://github.com/signalapp/Signal-Desktop/blob/d1f7f5ee8c1...</a><p>Which their implementation seems to be using regular expressions as well.
Honestly, and none of you are going to like hearing this, and the Signal people aren't going to appreciate me saying it: if you're serious about messaging securely, don't use Signal Desktop; don't use desktop secure messengers at all. Desktop applications are incredibly risky, far more so than iOS mobile apps are.
Wasn't this domain imitating the actual Hacker News banned years ago?<p>Plus, I think they violate rules because this is just blog spam.<p>The actual source of the story is: <a href="https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2/" rel="nofollow">https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injec...</a>
On their Android app, first thing it makes you do is give them permission to read your SMSs. It wont let you vefiry by entering a code. I immediately uninstalled - doesn't seem like a privacy focussed organisation to me.
From TFA:<p>"...the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.<p>"In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.<p>"If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction."<p>Is it the case that you don't even need to have the attacker's number in your contacts list?
This news saddens me. I’ve been the last user of the Signal desktop app around me and it looks like I have been too optimistic about Electron. I’ve now deleted any Electron app and recommend everyone to do the same.
Interesting, more or less, nothing is 100% secure. Looks like DEA had cracked the whatever crypto Blacberry was using and quite a few drug dealers were caught that way (one example: <a href="https://www.thedailybeast.com/the-deas-dirty-cop-who-tipped-off-a-cartel" rel="nofollow">https://www.thedailybeast.com/the-deas-dirty-cop-who-tipped-...</a> ). They must have been using because of the reputation BB had. I wonder what will we find out in time about the narcos, terrorists etc using Signal.
Anyone else have an aesthetic feeling for this? Signal desktop <i>felt</i> clunky to such a degree that takes away from trust that Telegram feels equally secure - even though it is not.
Is there a native Signal client that isn’t an Electron abomination?<p>It is clear at the point the Signal desktop people has no idea what they are doing and cannot be trusted to write a secure desktop application.
When will people start using plain old PGP — a tool that does one thing only, and does it right? Sure, it's a little harder than using just one tool that handles contacts, communication, formatting, and encryption, while making popcorn and walking the dog, but it works, and it's secure if you use it right.<p>Our efforts to make encryption easy are going to get someone killed.