Date Published: 2018-05-14
Last Update: 2018-05-14
CVE Name: CVE-2018-10994
Class: Code injection
Remotely Exploitable: Yes
Locally Exploitable: No
Vendors contacted: Signal.org
Signal-desktop is the standalone desktop version of the secure Signal messenger. This software is vulnerable to remote code execution from a malicious contact, by sending a specially crafted message containing HTML code that is injected into the chat windows (Cross-site scripting).
- Signal-desktop messenger v1.7.1
- Signal-desktop messenger v1.8.0
- Signal-desktop messenger v1.9.0
- Signal-desktop messenger v1.10.0
Originally found in v1.9.0 and v1.10.0, but after reviewing the source code the aforementioned are the impacted versions.
Upgrade to Signal-desktop messenger v1.10.1 or v1.11.0-beta.3
For safer communications on desktop systems, please consider the use of a safer end-point client like PGP or GnuPG instead.
This vulnerability was found and researched by Iván Ariel Barrera Oro (@HacKanCuBa), Alfredo Ortega (@ortegaalfredo) and Juliano Rizzo (@julianor), with assistance from Javier Lorenzo Carlos Smaldone (@mis2centavos).
Technical Description – Exploit/Concept Code
While discussing a XSS vulnerability on a website using the Signal-desktop messenger, it was found that the messenger software also displayed a code-injection vulnerability while parsing the affected URLs.
The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the and
For example, the use of iframes enables full code execution, allowing an attacker to download/upload files, information, etc. The