
Signal-desktop HTML tag injection advisory - throwwwafgk
https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/advisory/
======
AdmiralAsshat
Is this a joke?

>Solution/Vendor Information/Workaround

>For safer communications on desktop systems, please consider the use of a
safer end-point client like PGP or GnuPG instead.

\---

Meanwhile, regarding yesterday's PGP flaw:

[https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-
you...](https://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-
know-about-e-fail-and-pgp-flaw-0)

>EFF’s recommendations: Disable or uninstall PGP email plugins for now. Do not
decrypt encrypted PGP messages that you receive. Instead, use non-email based
messaging platforms, like Signal, for your encrypted messaging needs.

~~~
baby
Please do not quote with codeblocks as it is unreadble on mobile.

------
r3bl
I know that an unsanitized HTML input is a stupid issue to begin with, but
update issued within 24 hours of _discovery_ (and within 5 hours from
disclosure)? That's really impressive.

~~~
masklinn
> I know that an unsanitized HTML input is a stupid issue to begin with

Input is never the issue, output is: you don't know how the input will be
used/rendered, so it should be messed with as little as possible.

~~~
eximius
Depends entirely on your application. Often you know, or are willing to
constrain, the uses of an input.

~~~
Bartweiss
And for encryption, absolutely should when in doubt.

The HTML tag attack on PGP works by mixing plain and cipher text, which is a
thing people might genuinely want to do. But the safer clients still
interfered with it by re-encrypting anything which didn't begin with a PGP
signature, for the very good reason that they couldn't trust mixed messages.
The clients which mildly constrained inputs prevented the entire attack
vector, and it looks a very good tradeoff right now.

------
jlund
Just one additional note that might not be immediately clear from the
advisory: Exploiting this requires the attacker to first manually place
malware (a malicious JavaScript file) on your computer or on a Samba network
share that your computer is already connected to.

~~~
bjoli
Yeah. That fact seems pretty hidden in the reports. Due to proper CSP only
local files will be executed.

If you are who I think you are, maybe you could speculate if there is actually
any use for this other than loading local files (local file execution) and
crashing signal?

~~~
nitrogen
If a .js file is redirected to from a web page, with a Content-Disposition
header marking it as a download, and (as is common) the browser downloads
automatically to ~/Downloads, doesn't that leave the .js file in a predictable
place that can then be used by an attack on Electron?

~~~
bjoli
that could probably.be answered by jlund. Electron downloading things by
default seems like a pretty bad thing to do.

------
opmac
Ah, Electron /sigh.

Luckily this is fixed in the latest version (v1.11.0), so if you're a Signal
user (you should be!) and you haven't upgraded already, you should upgrade
immediately.

~~~
seba_dos1
> (you should be!)

I don't see how going from one IM silo to another just because it's encrypted
is going to help with anything. Especially one that's hostile towards
alternative clients. I'm using XMPP with OMEMO, as I should be :P

~~~
opmac
OMEMO actually implemented the double-ratchet algorithm developed as part of
the Signal Protocol. Signal, in my eyes, is still the benchmark for balance
between usability and security. That's fine if you prefer XMPP w/ OMEMO, and
it's arguably just as secure.

...but it's unfair to call Signal another IM silo that's "hostile" towards
other clients. Signal is 100% open source, along with the Signal Protocol
which powers it all. It is community supported and wholly dedicated to brining
cryptography to everybody. The latest implementation of OMEMO as it exists
today would not be what it is without Signal.

~~~
seba_dos1
Sure, Signal contributed back to the whole IM scene some very useful things,
I'm grateful for that. That still won't make me use or recommend their
network, as they actively request alternative clients to stop using their
servers and are just yet another, centralized network that can just go away at
any moment.

In Poland I don't see many people using Signal yet. I'm recommending
Conversations to anyone who asks, which doesn't seem far away in terms of
usability. On desktop it's a bit worse (I mean, I'm very comfy with my Psi,
but wouldn't recommend it to a random person on the street), however Dino
looks very promising and might fill that niche soon.

~~~
sicco
A relevant blogpost by Moxie about why the Signal app uses a centralized model
(and thus doesn't allow other apps to connect to their servers):
[https://signal.org/blog/the-ecosystem-is-
moving/](https://signal.org/blog/the-ecosystem-is-moving/)

Still all code is open source and Signal's code does support federation. Moxie
stated before that you can take the code and start a federated version of
Signal if you want.

~~~
seba_dos1
Of course you can. That won't be Signal though, just an another network using
its code, and there's already XMPP, so there's no need for that.

> (and thus doesn't allow other apps to connect to their servers)

"thus"? You can easily use centralized model and allow the client ecosystem to
thrive. You don't have to do much, just don't actively prohibit them.

And I know the blog post, it isn't very convincing.

------
RVuRnvbM2e
SIGFAIL? Where's the vanity domain and whitepaper?

~~~
bcaa7f3a8bbc
Or SIGINT, would be a good NSA joke.
[https://en.wikipedia.org/wiki/SIGINT](https://en.wikipedia.org/wiki/SIGINT)

------
jboynyc
If you're interested in the how, who, what and where, there's a more chatty
account of how this vulnerability was discovered, reported, fixed and
disclosed here: [https://ivan.barreraoro.com.ar/signal-desktop-html-tag-
injec...](https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection/)

(submitted yesterday at
[https://news.ycombinator.com/item?id=17070032](https://news.ycombinator.com/item?id=17070032))

------
FranOntanaya
Good old unsanitized HTML. Brings memories of the first bulletin boards.

~~~
ycmbntrthrwaway
It should have been done via DOM manipulation in the first place. What Signal
developers did can be compared to constructing raw SQL requests where
parameterized queries suffice. Thankfully, it was just fixed:
[https://github.com/signalapp/Signal-
Desktop/commit/4e5c8965f...](https://github.com/signalapp/Signal-
Desktop/commit/4e5c8965ff72576a9e20850dd30d9985f4073192)

~~~
rndgermandude
Frankly, I'm not to eager to trust people writing commit messages like this
and then OK that during peer review:

[https://github.com/signalapp/Signal-
Desktop/commit/9d41b8616...](https://github.com/signalapp/Signal-
Desktop/commit/9d41b8616296f1b328aa864e0114b99d7f11ca06)

> Remove escaping from `linkText` > We leverage jQuery’s HTML escaping in
> `$.html(…)`.

ummm.... wat

------
andrewstuart
Electron wouldn't be needed if browsers provided controlled access to a small
selection of local resources like filesystems.

Why don't developers who think they need Electron instead just run as
standalone browser windows with controlled resource access as suggested?
Answer: because browsers haven't done the work required to provide the stuff
that people think they need from electron.

The core idea that is flawed with Electron is that there really shouldn't be
any context in which an application needs unrestricted access to the
underlying OS - what application needs that? Electrons combines such
unrestricted access with the ability to download and run code from the web
which is a recipe for disaster. The effort being put into Electron should
instead go instead putting controlled access to local resources into browsers.

------
Rjevski
Just another day in Electron land.

It used to be that XSS is was only an issue on the web, but thanks to Electron
it is now everywhere, including desktop and mobile apps.

------
zeveb
In the future, I believe that we're going to consider using Electron to create
pseudo-native applications a code smell.

~~~
NoGravitas
I think that future is already here. I'm seeing a lot of development of
desktop Matrix clients, which to some extent has to be driven by desktop Riot
being an Electron app.

------
proactivesvcs
> For safer communications on desktop systems, please consider the use of a
> safer end-point client like PGP or GnuPG instead.

It seems like rather poor timing to make such a derogatory comment.

------
gpvos
Dat timeline.

