Hacker News new | comments | ask | show | jobs | submit login

Just one additional note that might not be immediately clear from the advisory: Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.



> Exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.

I'm Alfredo Ortega, part of the team that wrote the original exploit. This is (unfortunately) not true. The exploit on the video was loaded from a Windows share that the victim's computer was not already connected. This is possible using "Anonymous shares" in Windows 10, and older windows versions.

To be clear, you need absolutely no additional software on the victims computers, besides having a vulnerable signal-desktop and be running on windows.


Yeah. That fact seems pretty hidden in the reports. Due to proper CSP only local files will be executed.

If you are who I think you are, maybe you could speculate if there is actually any use for this other than loading local files (local file execution) and crashing signal?


If a .js file is redirected to from a web page, with a Content-Disposition header marking it as a download, and (as is common) the browser downloads automatically to ~/Downloads, doesn't that leave the .js file in a predictable place that can then be used by an attack on Electron?


that could probably.be answered by jlund. Electron downloading things by default seems like a pretty bad thing to do.


Or I just expose my malicious share to the Internet. No mounting step necessary.

file://<Evil-IP>/evil.js


> ... or on a Samba network share that your computer is already connected to.

Does CSP prevent this working with, for example, a malicious.js file on a remote, attacker-controlled Samba server (configured to allow "anonymous" connections)?


The CSP policy was 'self'. The problem is that all file:// URIs share an origin in Electron.

So, 'self' is ALL file:// URIs.


I was incorrect about this, and I apologize.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: