signal-desktop HTML tag injection advisory

Title: Signal-desktop HTML tag injection

Date Published: 2018-05-14

Last Update: 2018-05-14

CVE Name: CVE-2018-10994

Class: Code injection

Remotely Exploitable: Yes

Locally Exploitable: No

Vendors contacted:

Vulnerability Description:

Signal-desktop is the standalone desktop version of the secure Signal messenger. This software is vulnerable to remote code execution from a malicious contact, by sending a specially crafted message containing HTML code that is injected into the chat windows (Cross-site scripting).

Vulnerable Packages:

  • Signal-desktop messenger v1.7.1
  • Signal-desktop messenger v1.8.0
  • Signal-desktop messenger v1.9.0
  • Signal-desktop messenger v1.10.0

Originally found in v1.9.0 and v1.10.0, but after reviewing the source code the aforementioned are the impacted versions.

Solution/Vendor Information/Workaround

Upgrade to Signal-desktop messenger v1.10.1 or v1.11.0-beta.3
For safer communications on desktop systems, please consider the use of a safer end-point client like PGP or GnuPG instead.


This vulnerability was found and researched by Iván Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and Juliano Rizzo (@julianor), with assistance from Javier Lorenzo Carlos Smaldone (@mis2centavos).

Technical Description – Exploit/Concept Code

While discussing a XSS vulnerability on a website using the Signal-desktop messenger, it was found that the messenger software also displayed a code-injection vulnerability while parsing the affected URLs.

The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the <img> and <iframe> tags can be used to include remote or local resources.

For example, the use of iframes enables full code execution, allowing an attacker to download/upload files, information, etc. The <script> tag was also found injectable.

In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in a SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html>. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the signal-desktop client by sending a specially crafted message.


  • Show an iframe with some text:
  • Display content of user’s own /etc/passwd file:
  • Include and execute a remote JavaScript file (for Windows clients):
  • Show a base64-encoded image (bypass «click to download image»):


  • 2018-05-10 18:45 GMT-3: vuln discovered
  • 2018-05-11 13:03 GMT-3: emailed Signal security team
  • 2018-05-11 15:02 GMT-3: reply from Signal: vuln confirmed & patch ongoing
  • 2018-05-11 16:12 GMT-3: patch committed
  • 2018-05-11 18:00 GMT-3: signal-desktop update published
  • 2018-05-14 18:00 GMT-3: public disclosure