Critical Vulnerability Discovered in Signal for Windows and Linux

A critical vulnerability has been discovered in the Signal app for Windows and Linux, allowing malicious code sent via Signal to be executed on the recipient’s system without any interaction from the user.

Security researcher Alfredo Ortega identified this serious flaw in the popular encrypted messaging app Signal for Windows and Linux operating systems. The vulnerability enables a remote attacker to execute malicious code on a recipient’s system simply by sending a specially crafted message.

As demonstrated by the researcher in a video, JavaScript code sent through Signal can be successfully executed on the recipient’s system without any user action. While technical details about the vulnerability have not yet been released, it appears to allow for arbitrary code execution or at least an XSS attack, potentially enabling attackers to inject malicious code into targeted Windows and Linux systems.

The researcher noted that exploiting this issue successfully requires chaining together several other vulnerabilities. It is currently unclear whether these vulnerabilities exist solely in Signal’s source code or also affect the popular Electron web application framework on which Signal is built. If the vulnerability lies within Electron, it could also impact other widely used applications such as Skype, WordPress, and Slack, which also use this framework.

Additionally, the cybersecurity community is concerned about the potential for attackers to steal Signal’s encryption keys using this vulnerability.

The app’s developer, Open Whisper Systems, released patched versions of Signal within hours of being notified by the researcher. The vulnerability was fixed in Signal version 1.10.1 and beta version 1.11.0-beta.3. Users are strongly advised to update the app as soon as possible.

Video Demonstration of the Attack

For a demonstration of the attack, see the video provided by the researcher.