Signal-desktop-Cross-site Scripting

This article is a part of our Vulnerability Database (back to index)

Cross-site Scripting occurrences in Signal-desktop

Open Whisper Signal (aka Signal-Desktop) through 1.10.1 allows XSS via a resource location specified in an attribute of a SCRIPT, IFRAME, or IMG element, leading to JavaScript execution after a reply, a different vulnerability than CVE-2018-10994. The attacker needs to send HTML code directly as a message, and then reply to that message to trigger this vulnerability. The Signal-Desktop software fails to sanitize specific HTML elements that can be used to inject HTML code into remote chat windows when replying to an HTML message. Specifically the IMG and IFRAME elements can be used to include remote or local resources. For example, the use of an IFRAME element enables full code execution, allowing an attacker to download/upload files, information, etc. The SCRIPT element was also found to be injectable. On the Windows operating system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script on an SMB share within an IFRAME element, for example: and then replying to it. The included JavaScript code is then executed automatically, without any interaction needed from the user. The vulnerability can be triggered in the Signal-Desktop client by sending a specially crafted message and then replying to it with any text or content in the reply (it doesn't matter). (2018-05-17, <a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11101">CVE-2018-11101</a>)</p><p>js/views/message_view.js in Open Whisper Signal (aka Signal-Desktop) before 1.10.1 allows XSS via a URL. (2018-05-14, <a class="link" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10994">CVE-2018-10994</a>)</p></p> </div> <h2 class="typo-h4 m-40"> <p>Why Cross-site Scripting can be dangerous</p> </h2> <div style="margin: 2em;"> <p>Cross site scripting is an attack where a web page executes code that is injected by an adversary. It usually appears, when users input is presented. This attack can be used to impersonate a user, take over control of the session, or even steal API keys.</p> <p>The attack can be executed e.g. when you application injects the request parameter directly into the HTML code of the page returned to the user:</p> <p class="feature-text">https://server.com/confirmation?message=Transaction+Complete</p> <p>what results in:</p> <p class="feature-text"><span>Confirmation: Transaction Complete</span></p> <p>In that case the message can be modified to become a valid Javascript code, e.g.:</p> <p class="feature-text">https://server.com/confirmation?message=<script>dangerous javascript code here</script></p> <p>and it will be executed locally by the user's browser with full access to the user's personal application/browser data:</p> <p class="feature-text"><span>Confirmation: <script>dangerous javascript code here</script></span></p> </div> <a href="/scan-now" class="btn btn--fill"><span>Scan Your Web App Now</span></a> </div> </div> </section> </div> <section class="get-started"> <div class="wrap wrap--inner animate"> <div class="header header--center"> <div class="typo-h2"> <h5>Scan your application<br> for 14 days for free</h5> </div> <p>No credit card is required. No commitment.</p> </div> <a href="/register" class="btn btn--fill"><span>Sign Up Free</span></a> </div> </section> <footer class="footer"> <div class="wrap wrap--inner clearfix"> <div class="col"> <h6>Contact</h6> <p><strong><a href="mailto:team@scanrepeat.com">team@scanrepeat.com</a><br>+1 (415) 340-8020</strong></p> <p><strong>ScanRepeat</strong><br>a Ventures CDX company</p> <p><strong>USA</strong><br>117 Park Avenue, San Jose<br>CA 95113</p> <p><strong>EMEA</strong><br>Laciarska 4, 50-104 Wroclaw<br>Poland</p> </div> <div class="col"> <h6>Product</h6> <ul> <li class=""> <a href="/features" title="Features">Features</a> </li> <li class=""> <a href="/#pricing" title="Pricing">Pricing</a> </li> <li class=""> <a href="/#faq" title="FAQ">FAQ</a> </li> <li class=""> <a href="/#how-it-works" title="How it works">How it works</a> </li> <li class=""> <a href="/web-security-knowledge-base" title="Web Security Knowledge Base">Web Security Knowledge Base</a> </li> <li class=""> <a href="/security-tests" title="Security tests">Security tests</a> </li> <li class=""> <a href="/top-security-issues" title="Top Security Issues (last 30 days)">Top Security Issues (last 30 days)</a> </li> </ul> </div> <div class="col"> <h6>Legal</h6> <ul> <li class=""> <a href="/terms" title="Terms of use">Terms of use</a> </li> <li class=""> <a href="/privacy-policy" title="Privacy policy">Privacy policy</a> </li> <li class=""> <a href="/cookies-policy" title="Cookies policy">Cookies policy</a> </li> </ul> </div> <div class="footer__social social"> <ul> <li> <a href="https://www.facebook.com/ScanRepeat/" aria-label="Facebook" target="_blank" rel="nofollow"><i class="icon-facebook"></i></a> </li> <li> <a href="https://twitter.com/ScanRepeat" aria-label="Twitter" target="_blank" rel="nofollow"><i class="icon-twitter"></i></a> </li> <li> <a href="https://www.linkedin.com/showcase/scanrepeat/" aria-label="LinkedIn" target="_blank" rel="nofollow"><i class="icon-linkedin"></i></a> </li> <li> <a href="https://github.com/ScanRepeat" aria-label="GitHub" target="_blank" rel="nofollow"><i class="icon-github"></i></a> </li>  </ul> </div> </div> <div class="wrap wrap--inner"> <div class="footer__copy"> <p>© ScanRepeat 2020</p> </div> </div> </footer> </main> <script src="/vendor/scripts/vendor.js?v=2301101430"></script> <script src="/vendor/scripts/main.js?v=2301101430"></script> <script src="/vendor/scripts/public_general.js?v=2301101430"></script> </body> </html>