Hackers Reveal How Code Injection Attack Works in Signal Messaging App

Hackers Reveal How Code Injection Attack Works in Signal Messaging App

signal-code-execution
After the revelation of the eFail attack details, it's time to reveal how the recently reported code injection vulnerability in the popular end-to-end encrypted Signal messaging app works.

As we reported last weekend, Signal has patched its messaging app for Windows and Linux that suffered a code injection vulnerability discovered and reported by a team of white-hat hackers from Argentina.



The vulnerability could have been exploited by remote attackers to inject a malicious payload inside the Signal desktop app running on the recipients' system just by sending them a specially crafted link—without requiring any user interaction.


According to a blog post published today, the vulnerability was accidentally discovered while researchers–Iv├ín Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL.

However, the XSS payload unexpectedly got executed on the Signal desktop app.
signal-flaw
XSS, also known as cross-site scripting, is a common attack vector that allows attackers to inject malicious code into a vulnerable web application.

After analyzing the scope of this issue by testing multiple XSS payloads, researchers found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.

Using this vulnerability, attackers can even inject a form on the recipient's chat window, tricking them to reveal their sensitive information using social engineering attacks.

It had previously been speculated that the Signal flaw might have allowed attackers to execute system commands or gain sensitive information like decryption keys—but no, it is not the case.

The vulnerability was immediately patched by the Signal developers shortly after the proof-of-concept video was released by Ortega last weekend.
Code Injection Attack
The researchers also found that a patch (regex function to validate URLs) for this vulnerability existed in previous versions of the desktop app, but it was somehow removed or skipped in the Signal update released on 10th April this year.

No comments:

Post a Comment


© [Ritik banger] and [Hacker ritz], [2017]. Unauthorized use and/or duplication of this material without express and written permission from this blog’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to [Ritik banger] and [Hacker ritz] with appropriate and specific direction to the original content.
Designed by Ritik Banger . All rights reserved . Powered by Blogger.
© Copyright 2017. Website by Hacker Ritz