Cybersecurity researcher John Jackson’s published a study on two vulnerabilities he found in the Signal messenger desktop client — the CVE-2023-24068 and the CVE-2023-24069. The expert is sure that malefactors can exploit these vulnerabilities for espionage. Since Signal desktop applications for all operating systems have a common code base, both vulnerabilities are present not only in the Windows client, but in MacOS and Linux clients as well. All versions up to the latest (6.2.0) are vulnerable. Let’s look at how real the threat is.
What are the vulnerabilities CVE-2023-24068 and CVE-2023-24069?
The first vulnerability, CVE-2023-24069, lies in an ill-conceived mechanism that handles files sent via Signal. When you send a file to the Signal chat, the desktop client saves it in a local directory. When a file is deleted, it disappears from the directory … unless someone answered it or forwarded it to another chat. Moreover, despite the fact that Signal is positioned as a secure messenger and all communications via it are encrypted, the files are stored in unprotected form.
Vulnerability CVE-2023-24068 was found during further studying of the client. It turns out that the client lacks file validation mechanism. Theoretically that allows attacker to replace them. That is, if the forwarded file was opened on the desktop client, someone can replace it in the local folder with a forged one. Therefore, with further transfers, user will distribute the switched file instead of the one they were intended to forward.
How vulnerabilities CVE-2023-24068 and CVE-2023-24069 can be dangerous?
The potential risks of CVE-2023-24069 are more or less understandable. Say, if a user of the Signal’s desktop version left unlocked computer unattended, someone can gain access to files sent through Signal. The same may happen the full disk encryption is enabled on the computer and the owner tend to leave it somewhere unattended (in the hotel rooms, for example).
The exploitation of the second vulnerability requires a more comprehensive approach. Let’s say a person frequently receives and sends files through the Signal desktop app (for example, a manager sending tasks to subordinates). Then an attacker with access to his computer can replace one of the files, or, for the sake of stealth, modify existing document, for example, by inserting a malicious script into it. So, with further transfers of the same file, its owner will spread the malware to their contacts.
It’s important to emphasize that exploitation of both vulnerabilities is possible only if the attacker already have access to the victim’s computer. But this is not an unreal scenario — we are not necessarily talking about physical access. It would be enough to infect the computer with malware that allows outsiders manipulating files.
How to stay safe?
According to the CVE Program, Signal developers disagree with the importance of these vulnerabilities, stating that their product should not and cannot protect from attackers with this level of access to the victim’s system. Therefore, the best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general). But if your working process require it for some tasks, then we recommend:
- teach your employees not to leave an unlocked computer unattended;
- always use full disk encryption on working devices;
- employ security solutions, which can detect and stop malware and attempts of unauthorized access to your data.