
Remote zero-click JavaScript code execution on Signal desktop - uptown
https://twitter.com/ortegaalfredo/status/995017143002509313
======
0x0
Ah, yes, Electron, where a simple XSS can quickly turn into full account
compromise and RCE? :O

[https://blog.doyensec.com/2017/08/03/electron-framework-
secu...](https://blog.doyensec.com/2017/08/03/electron-framework-
security.html)

~~~
krapp
Alas, if only there were a way to write native applications in some language
other than javascript...

~~~
stephengillie
Serious questions:

1\. Why don't browsers execute (interpret?) languages other than JavaScript?

2\. What would be involved in having a browser execute (interpret?) other
languages, such as Perl or Python?

~~~
krapp
>1\. Why don't browsers execute (interpret?) languages other than JavaScript?

I believe the general idea was that they would, because the "type" attribute
in the <script> tag didn't _need_ to be "text/javascript", but javascript
happened to win because it was supported by Netscape Navigator. Microsoft had
VBScript, but that was an IE only product, while both browsers supported
javascript, making it the only choice for cross-browser compatible scripting
(albeit with lots of irritating hacks, but then jQuery came along.)

See this decent StackExchange thread here[0].

Then HTML5 deprecated the type attribute from the script tag because there
really was no point anymore. Why support other languages when one language was
adequate and already ubiquitous?

>2\. What would be involved in having a browser execute (interpret?) other
languages, such as Perl or Python?

Today? Browsers could ship with support for those languages (the way Chrome
did with Dart) but of course, that would fragment the web unless all browsers
supported all options. Or maybe plugins. Or "compiling to javascript." Or
Webassembly[1].

I 100% believe that seamless, dynamic language support through WASM is going
to be a thing eventually.

[0][https://softwareengineering.stackexchange.com/questions/2894...](https://softwareengineering.stackexchange.com/questions/28947/how-
did-javascript-become-popular)

[1][https://github.com/mbasso/awesome-
wasm#languages](https://github.com/mbasso/awesome-wasm#languages)

~~~
TheAceOfHearts
Chrome never shipped Dart support. There was a modified version of Chromium
with Dart support called Dartium, but it was discontinued with Dart 2.x.

------
f2n
It'll be interesting to see how this works, given that the Signal Desktop
client's main page (background.html) includes a CSP that restricts it from
running inline or external scripts. It can only run JS that's already in the
Signal Desktop package (in theory).

The fact that this isn't being described as an issue with CSPs or electron
makes me wonder how it could possibly work.

~~~
jsnar
Electron is unsafe because it's based on outdated versions of Chromium:
[https://github.com/signalapp/Signal-
Desktop/issues/1635](https://github.com/signalapp/Signal-Desktop/issues/1635)

~~~
f2n
You've linked that thread a couple of times here, never really elaborating on
the nature of your concerns, nor do you elaborate on the specific nature of
your concerns in the ticket. Have you considered elaborating on the nature of
your concerns? Is there a specific vulnerability in chromium you feel could be
exploited here?

------
ge0rg
It's time to admit that we can't fix web security anymore, and that we should
just start anew. XSS, SQLi, cross origin flaws, etc. There are just too many
vectors for a human developer to make a correct implementation.

~~~
craftyguy
> It's time to admit that we can't fix web security anymore

It seems like this was fixed in a newer version of chromium.. a version that
electron is _not_ based on. This particular problem exists purely because they
used a framework that depends on a ridiculously complicated backend, one that
the framework has chosen not to follow closely (despite the backend addressing
security issues relatively timely)

------
jsnar
Signal desktop app is based on the insecure Electron runtime. See my report
here: [https://github.com/signalapp/Signal-
Desktop/issues/1635](https://github.com/signalapp/Signal-Desktop/issues/1635)

~~~
Boulth
I read the (now locked) thread, the way they handled the report leaves much to
be desired.

