
Another flaw in Signal desktop app leaks chats in plaintext - workerthread
https://thehackernews.com/2018/05/signal-desktop-hacking.html
======
Aissen
From the researcher who found it:

 _we were able to compile a list of strategic defense-in-depth recommendations
for Signal Desktop which we’ve sent to the Signal security team per their
request. At the end of the day there will always be new “hot” vulnerabilities,
but the “vendor” response is generally what separates the wheat from the
chaff. The Signal team’s quick patch time along with a strong interest in
mitigating vulnerabilities of this type in the future was encouraging to see.
I’ll remain a Signal user for the foreseeable future :)_

[https://thehackerblog.com/i-too-like-to-live-dangerously-
acc...](https://thehackerblog.com/i-too-like-to-live-dangerously-accidentally-
finding-rce-in-signal-desktop-via-html-injection-in-quoted-replies/)

------
andrepd
>Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt
Bryant—responsibly reported the vulnerability to Signal, and its developers
have patched the vulnerability with the release of Signal desktop version
1.11.0 for Windows, macOS, and Linux users.

>However, The Hacker News has learned that Signal developers had already
identified this issue as part of a comprehensive fix to the first
vulnerability before the researchers found it and reported them.

>Signal app has an auto-update mechanism, so most users must have the update
already installed. You can read this guide to ensure if you are running
updated version of Signal.

Seems everything is patched, and was already going to be patched before the
vuln was reported.

------
tormeh
Maybe secure chat clients shouldn't be written in JavaScript or other
languages that have excessive dynamicness? Signal seems to be written mostly
in languages that are bad for security (significantly worse than the best
alternatives). Maybe I'm just a language nerd without any clue about the
trade-offs, but I trust the Wire software more. Note that this just applies to
mobile clients and server - Wire, like Signal, chose to build their
desktop+webapp in JavaScript :(

~~~
pfg
As much as I'm not a fan of JavaScript, the problem is not so much the
language but rather the choice of Electron and all that comes with it. Heck,
even a web version or Chrome app would've successfully mitigated these
attacks. Electron means you're one XSS away from remote code execution, and
even worse, it makes it way harder to mitigate XSS through CSP (which Signal
did utilize, but script-src 'self' can easily be bypassed in Electron).

FWIW, Signal's native mobile apps are written in Java and Objective-C
respectively, so there's not really much of a difference compared to Wire
(which is a good choice as well). Still, even a hypothetical React Native app
written in JavaScript wouldn't be much worse; after all, React Native isn't
just a Web View made to look like a native app, but uses actual native
components.

~~~
rndgermandude
While I agree that Electon offers a massive amount of footguns, neither
Javascript nor Electon was the issue in this case. The issue was using
innerHTML (or rather $.html()) with strings concatenated together from user
input. Something you should never do. Could as well just call eval() directly
on it, or pass the input to gcc, compile it and run the resulting binary.

The Signal devs thought $.html() does some kind of escaping:
[https://github.com/signalapp/Signal-
Desktop/commit/9d41b8616...](https://github.com/signalapp/Signal-
Desktop/commit/9d41b8616296f1b328aa864e0114b99d7f11ca06) (this commit made
something that was easy to exploit into something that was even easier to
exploit).

To be honest, I'd lay more blame on the authors of the DOM spec making
innerHTML a setter than on Electron, and jQuery exposing this misfeature even
more with $.html(), teaching an army of web developers to do the wrong thing.
We've all seen numerous (XSS) vulnerabilities in all kinds of websites,
browser extensions, Electron apps, etc resulting from this API, tho in
Electron apps it gets particularly devastating as often you'd get code
execution not just in a sandboxed website but full code execution under the
current user credentials in the system.

~~~
grrowl
> The Signal devs thought $.html() does some kind of escaping:
> [https://github.com/signalapp/Signal-
> Desktop/commit/9d41b8616...](https://github.com/signalapp/Signal-
> Desktop/commit/9d41b8616..). (this commit made something that was easy to
> exploit into something that was even easier to exploit).

This is an absolutely egregious rookie error. I wouldn't touch the Signal
desktop app with a 10 foot pole after seeing that commit.

~~~
mercer
Why is this a 404 now?

~~~
Stephen304
Looks like grrowl copied and repasted the truncated display text of the link.
The full link is 2 comments up: [https://github.com/signalapp/Signal-
Desktop/commit/9d41b8616...](https://github.com/signalapp/Signal-
Desktop/commit/9d41b8616296f1b328aa864e0114b99d7f11ca06)

------
matthewaveryusa
In security less is more.

The more we try to make encryption mainstream, the more difficult it gets
because the mainstream interacts with computers predominately via browsers.
The mainstream won't adopt something that isn't highly similar to what a
browser has to offer in terms of media richness (photos, videos, html), so you
see Signal choosing technologies like Electron, a browser, to develop their
native applications. The heart of what signal is and does well (encrypt,
decrypt, authenticate) is dwarfed by a pile of code that was added to make
signal usable by the mainstream. Desktop Signal, in terms of code and
complexity, is no longer a security product -- it's an application with a web-
like media experience that happens to tack on a very good library to do
encryption and authentication.

As we all know, sometimes vulns are in broken crypto, but most of the time
they're in a gotcha beneath a mountain of code.

~~~
justicezyx
In general less is more, with proper abstraction, not just in security.

------
ddtaylor
I don't know if this is exploitable, but they are using many different methods
to escape HTML content:

[https://github.com/signalapp/Signal-
Desktop/blob/d1f7f5ee8c1...](https://github.com/signalapp/Signal-
Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/components/mocha/mocha.js#L89)

Then here it's a different function:

[https://github.com/signalapp/Signal-
Desktop/blob/d1f7f5ee8c1...](https://github.com/signalapp/Signal-
Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/components/mustache/mustache.js#L56)

Then sometimes they use the underscore library to do it:

[https://github.com/signalapp/Signal-
Desktop/blob/d1f7f5ee8c1...](https://github.com/signalapp/Signal-
Desktop/blob/d1f7f5ee8c1111c2b12a2870c64a830ca0f4fd04/components/backbone/backbone.js#L295)

Which their implementation seems to be using regular expressions as well.

~~~
hawkice
The first one doesn't escape single quotes or slash, but I have no idea how to
get any HTML parser to treat just those as anything but text. Underscore's
implementation will be correct, I'm sure.

~~~
codedokode
Slash doesn't need to be encoded. Only 5 characters that have special meaning
have to be encoded (&, <, >, " and ').

~~~
hawkice
Which raises the best question: how would you exploit someone not escaping
single quotes? I do not know. Perhaps it isn't possible.

~~~
jscissr
I think escaping quotes only matters for attributes (which can use ' or ").
Example:

    
    
        <img src="$url">
    

Exploit:

    
    
        foo.jpg" onload="alert('pwned')

~~~
kuroguro
Heh, found the exact bug on a live bbcode parser some 5 years ago.

~~~
codedokode
It was probably written using regexps? One should make full syntax analysis
instead of writing regexp hacks.

------
tptacek
Honestly, and none of you are going to like hearing this, and the Signal
people aren't going to appreciate me saying it: if you're serious about
messaging securely, don't use Signal Desktop; don't use desktop secure
messengers at all. Desktop applications are incredibly risky, far more so than
iOS mobile apps are.

~~~
al_chemist
> don't use desktop secure messengers at all. Desktop applications are
> incredibly risky, far more so than iOS mobile apps are.

It's risky to use an open source OS. If you are serious about security, use
Android or iOS. Instead of direct ssl connection to XMPP server, it's much
safer to send all your data with Google Cloud Messaging. /s

Desktop computers are currently the most open sourced, least opaque, least
spyware, non gps tracking, non "microphone always listening for 'ok google'"
computer average person has. Why do you suggest that iphone is much more
private device?

~~~
confounded
You have my upvote, but I imagine that tptacek means that iOS is very very
well sandboxed, and has an extremely tight and well authenticated download and
update system which is extremely difficult for a third party to monkey with.

This is security via centralization and trusting a benevolent capitalist
dictator. As long as your personal interests are aligned with interests of the
benevolent capitalist's shareholders, you should be fine.

It is my _least favorite security model_. But, in the case of iOS it seems to
be working well (for now). My long-term hope is for a decentralized FOSS
model, but for the time being, in the USA, on a multipurpose machine, the
benevolent capitalist dictator beats it, especially on sandboxing and
package/app authentication.

~~~
tptacek
I like open source software as much as most people on HN, and have worked with
it for most of my career. But help me understand how a decentralized FOSS
model gets ordinary lawyers, reporters, and congressional campaign staffers
the level of security that iOS does? What are the mechanisms that assure
safety for users?

The closest I can come to seeing something like this work is a Chromebook, and
Chromebooks are locked-down and get their security model from a central
authority.

~~~
_emacsomancer_
> What are the mechanisms that assure safety for users?

What are the mechanisms that assure safety for users of iOS? I understand that
it's had a good track record so far, but the proprietary closed nature doesn't
inherently inspire trust. Surely a decentralised FOSS model done right could
be secure for lawyers &c.

~~~
fjsolwmv
As the old saying goes, "if you could have invented a secure open source
desktop chat app, you would have developed a secure open source desktop chat
app."

In practice, empirict results win over theoretically optimal designs.

~~~
_emacsomancer_
And as the old saying continues, "...so instead you invented a proprietary
one, with hidden code, and told everyone it's secure."

------
ccnafr
Wasn't this domain imitating the actual Hacker News banned years ago?

Plus, I think they violate rules because this is just blog spam.

The actual source of the story is: [https://ivan.barreraoro.com.ar/signal-
desktop-html-tag-injec...](https://ivan.barreraoro.com.ar/signal-desktop-html-
tag-injection-variant-2/)

~~~
rando444
I don't see anything imitating this website.. other than a technology based
news feed and a similarly used name.

I used to browse a website called "hacker news" back in the late 90s / early
2000s, but I wouldn't go as far as to call News YC a copy of that.

~~~
ccnafr
I was referring to the fact of imitating the HN brand by capitalizing on the
domain name so they could scoop up all the traffic and SEO love. That's why
the domain was banned to begin with a few years back. There was a whole
discussion about it.

~~~
rando444
The site that I was referring to was literally hackernews.com, and was very
popular among the tech crowd from the late 90s onward. (long before YC was
conceived)

ALmost 20 years ago, I used to rotate between hacker news, fark, and slashdot
to get my daily dose of internet.

[https://web.archive.org/web/*/hackernews.com](https://web.archive.org/web/*/hackernews.com)

One would be perfectly justified in also trying to claim that the name here
was stolen from the original.

.. but sometimes, just because things share a common name, does not
necessarily mean they are related.

[https://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc](https://en.wikipedia.org/wiki/Post_hoc_ergo_propter_hoc)

~~~
ccnafr
Not that one. That's owned by Space Rogue. I'm talking about the one linked
now, owned by some Indians who keep copying articles off other sites. There
was a reason this got banned years ago. At one point you could trace articles
from The Register and Motherboard paragraph by paragraph to their stories, but
with bad grammar and bad sentence structure.

------
Jedi72
On their Android app, first thing it makes you do is give them permission to
read your SMSs. It wont let you vefiry by entering a code. I immediately
uninstalled - doesn't seem like a privacy focussed organisation to me.

~~~
cornholio
That sounds absolutely horrendous. Even Whatsapp allows you to verify using a
fixed line and claim that number on the mobile for privacy.

Coupled with the recent LocationSmart revelations, it would make Signal
unusable for those who wish to keep their location private. You absolutely
need to provide the mobile number of the actual terminal being used.

~~~
bigiain
Not true. I have Signal running in an iPod Touch.

I needed to give them a phone number I could read SMS from to set it up, but
there's no need for that to be "the mobile number of the actual terminal being
used".

------
fastball
What is this website?

"The Hacker News"? And no actual relation to HN? This website doesn't even
have an about page...

~~~
orthecreedence
This is BLASPHEMY!!

------
teachrdan
From TFA:

"...the new vulnerability (CVE-2018-11101) exists in a different function that
handles the validation of quoted messages, i.e., quoting a previous message in
a reply.

"In other words, to exploit the newly patched bug on vulnerable versions of
Signal desktop app, all an attacker needs to do is send a malicious
HTML/javascript code as a message to the victim, and then quote/reply to that
same message with any random text.

"If the victim receives this quoted message containing the malicious payload
on its vulnerable Signal desktop app, it will automatically execute the
payload, without requiring any user interaction."

Is it the case that you don't even need to have the attacker's number in your
contacts list?

~~~
symlinkk
No, that's incorrect. You have to have someone's number to send a message to
them.

------
baby
This news saddens me. I’ve been the last user of the Signal desktop app around
me and it looks like I have been too optimistic about Electron. I’ve now
deleted any Electron app and recommend everyone to do the same.

------
FrantaH
It's mind boggling why messaging app has 181 MB.

~~~
codebolt
I'm really starting to get tired of all these bloated JavaScript desktop apps.
I get that it's more convenient for developing cross-platform apps with modern
looking UIs, but I really wish there would be an increased focus on reducing
the overall bloat and resource use, both among app and framework devs.

Speaking as a Windows user, I would vastly prefer a well-designed native
application (WinForms/WPF) over a JS monstrosity any day.

------
verroq
Is there a native Signal client that isn’t an Electron abomination?

It is clear at the point the Signal desktop people has no idea what they are
doing and cannot be trusted to write a secure desktop application.

~~~
soziawa
Nope. But you can try Threema or Wire. They're both pretty good.

------
namuol
Pretty mindblowing that Signal allows things like `dangerouslySetInnerHTML` in
any of their apps. A simple linter would have caught this.

~~~
sakarisson
With such an obviously "DON'T USE THIS" method name as
dangerouslySetInnerHtml, I'd expect that we'd see something like // eslint-
disable-next-line above it.

------
onetimemanytime
Interesting, more or less, nothing is 100% secure. Looks like DEA had cracked
the whatever crypto Blacberry was using and quite a few drug dealers were
caught that way (one example: [https://www.thedailybeast.com/the-deas-dirty-
cop-who-tipped-...](https://www.thedailybeast.com/the-deas-dirty-cop-who-
tipped-off-a-cartel) ). They must have been using because of the reputation BB
had. I wonder what will we find out in time about the narcos, terrorists etc
using Signal.

------
peterburkimsher
Someone invited me to use signal. I thought "It's a trap!"

~~~
peterburkimsher
It's a pun on inter-process communication signals and traps in UNIX.

[https://www.tutorialspoint.com/unix/unix-signals-
traps.htm](https://www.tutorialspoint.com/unix/unix-signals-traps.htm)

------
AlexCoventry
Is the chrome extension also vulnerable to this?

~~~
aortega
No, it is not.

------
pokemongoaway
Anyone else have an aesthetic feeling for this? Signal desktop _felt_ clunky
to such a degree that takes away from trust that Telegram feels equally secure
- even though it is not.

------
tlrobinson
Why is this flagged?

~~~
on_and_off
Same question.

Also, is there somewhere where we can see why a thread is flagged ?

~~~
tlrobinson
Unfortunately there's no way to know why users flag something, but that brings
up an interesting idea: in order to flag something require the user types out
a reason, and if an article is flagged it could show why people flagged it.

------
JasonFruit
When will people start using plain old PGP — a tool that does one thing only,
and does it right? Sure, it's a little harder than using just one tool that
handles contacts, communication, formatting, and encryption, while making
popcorn and walking the dog, but it works, and it's secure if you use it
right.

Our efforts to make encryption easy are going to get someone killed.

~~~
roywiggins
literally this week

[https://news.ycombinator.com/item?id=17064129](https://news.ycombinator.com/item?id=17064129)

~~~
4ad
The PGP vulnerability is actually in e-mail clients, and it affects almost
nobody. And how often do PGP vulnerabilities happen?

Signal got two vulnerabilities that affect everyone _JUST THIS WEEK_.

~~~
tptacek
By "almost nobody", you mean everyone who used Apple Mail/GPGTools and
Thunderbird/Enigma, meaning, the vast majority of everybody who used PGP?

~~~
4ad
Thunderbird does not download remote content by default.

I don't know anybody who is using Apple Mail with GPG, but if there are such
people, they have been doing it very wrong regardless of this vulnerability.
It's an unsafe combination.

I have no statistics on what people use PGP with, but asserting that most
people use it with Apple Mail and Thunderbird is baseless and without proof.

~~~
pfg
> Thunderbird does not download remote content by default.

The researchers behind EFAIL found a number of ways to bypass the remote
content setting. Not only that, but Hanno Böck found another one today[1] that
hasn't been fixed yet.

[1]:
[https://twitter.com/hanno/status/997138771194859521](https://twitter.com/hanno/status/997138771194859521)

