A few days ago some researchers discovered an HTML Injection vulnerability in Signal Desktop and they wrote a public disclosure. The Signal team quickly released an update on May 11th, the problem was in the file /js/views/message_view.js.
Reading the changes to message_view.js, it seemed that the Signal team had only fixed the “problem of the URL“. So, maybe, I could still inject HTML code somehow. In Signal Desktop there are not many features, so I have tried to write me a basic message:
PROVA. Obviously nothing happened. So I have tried to use the feature Reply to message, and BINGO! My original message
PROVA has become
The vulnerability is the same of the first report, the difference is that the attacker must send two messages: the first message is the HTML code, the second message is the reply to the first to execute the code. I found this vulnerability on May 15, but a few hours later it was fixed with an update (v 1.11.0), before I sent the report to the Signal developers. Someone (@mis2centavos) tweeted about the new vulnerability a few hours before me.
PROOF OF CONCEPT
15/05/2018 – Signal Desktop is updated to version 1.11.0