Here’s the story of how casual conversations uncovered two huge security holes in one of the most reliable messaging services.
Soon after we publicly disclose the vulnerability, a new one got uncovered. You can skip all of the details and just upgrade to signal-desktop v1.11 (or newer) to be safe.
Disclaimer: please note that the Signal mobile app is not affected in any way.
HTML tag injection through percent-encoding characters in links. Embargo lifted on 14th May 2018 at 18:00 GMT-3.
This vulnerability was found and researched by Barrera Oro, Iván Ariel (@HacKanCuBa), Ortega, Alfredo (@ortegaalfredo) and Rizzo, Juliano (@julianor), with assistance from Smaldone, Javier (@mis2centavos).
HTML tag injection through quote replying a message containing HTML. Embargo lifted on 16th May 2018 at 11:00 GMT-3.
- Read the write-up.
- Read the advisory.
- Read Matt Bryant’s write-up.
- Read the Full Disclosure archive.
This vulnerability was found and researched by Barrera Oro, Iván Ariel (@HacKanCuBa), Bryant, Matt (@IAmMandatory), Ortega, Alfredo (@ortegaalfredo) and Rizzo, Juliano (@julianor), with assistance from Smaldone, Javier (@mis2centavos).