Just one additional note that might not be immediately clear from the advisory: Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.
> Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.
I'm Alfredo Ortega, part of the team that wrote the original exploit. This is (unfortunately) not true. The exploit on the video was loaded from a Windows share that the victim's computer was not already connected. This is possible using "Anonymous shares" in Windows 10, and older windows versions.
To be clear, you need absolutely no additional software on the victims computers, besides having a vulnerable signal-desktop and be running on windows.
Yeah. That fact seems pretty hidden in the reports. Due to proper CSP only local files will be executed.
If you are who I think you are, maybe you could speculate if there is actually any use for this other than loading local files (local file execution) and crashing signal?
If a .js file is redirected to from a web page, with a Content-Disposition header marking it as a download, and (as is common) the browser downloads automatically to ~/Downloads, doesn't that leave the .js file in a predictable place that can then be used by an attack on Electron?
> ... or on a Samba network share that your computer is already connected to.
Does CSP prevent this working with, for example, a malicious.js file on a remote, attacker-controlled Samba server (configured to allow "anonymous" connections)?
