signal-desktop HTML tag injection

Here’s the story of how casual conversations uncovered two huge security holes in one of the most reliable messaging services.

What happened

Soon after we publicly disclose the vulnerability, a new one got uncovered. You can skip all of the details and just upgrade to signal-desktop v1.11 (or newer) to be safe.

Disclaimer: please note that the Signal mobile app is not affected in any way.

CVE-2018-10994

HTML tag injection through percent-encoding characters in links. Embargo lifted on 14th May 2018 at 18:00 GMT-3.

Credits

This vulnerability was found and researched by Barrera Oro, Iván Ariel (@HacKanCuBa), Ortega, Alfredo (@ortegaalfredo) and Rizzo, Juliano (@julianor), with assistance from Smaldone, Javier (@mis2centavos).

CVE-2018-11101

HTML tag injection through quote replying a message containing HTML. Embargo lifted on 16th May 2018 at 11:00 GMT-3.

Credits

This vulnerability was found and researched by Barrera Oro, Iván Ariel (@HacKanCuBa), Bryant, Matt (@IAmMandatory), Ortega, Alfredo (@ortegaalfredo) and Rizzo, Juliano (@julianor), with assistance from Smaldone, Javier (@mis2centavos).

Appearances

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *