Remote attackers just need to send a message 💬 on Signal to inject & execute malicious code onto targeted…

John Hardy Technical Labour May 13, 2018 1 Minute

Remote attackers just need to send a message 💬 on Signal to inject & execute malicious code onto targeted systems—without requiring any recipients’ interaction

Electron is not a secure platform.

https://thehackernews.com/2018/05/signal-messenger-vulnerability.html

Published by John Hardy

Closures are a poor man's object. Objects are a poor man's closure. View all posts by John Hardy

Published May 13, 2018

10 thoughts on “Remote attackers just need to send a message 💬 on Signal to inject & execute malicious code onto targeted…”

John Jainschigg says:

May 13, 2018 at 5:48 am

If I weren’t crying, it would be hard not to laugh, eh?

LikeLike

Reply
Meng Shen Lim says:

May 13, 2018 at 6:30 am

At least Signal is being okay with this disclosure. I can’t expect FB’s Whatsapp to be this open about their vulnerabilities. All these years of using it, not once there is a scare to prompt users to use an updated client.

The way the old CCleaner (before the Avast buyout) actively prompted their users to update because of a trojan bug should be the norm, not the exception.

LikeLike

Reply
Satyr Icon says:

May 13, 2018 at 12:25 pm

Well that sure says something about signal being one of the most secure messaging apps.

fossbytes.com – 8 Best Secure And Encrypted Messaging Apps For Android & iOS

LikeLike

Reply
John Hardy says:

May 13, 2018 at 1:24 pm

Satyr Icon this is just a problem on desktops. Electron is basically a web page without a sandbox.

LikeLike

Reply
Meng Shen Lim says:

May 13, 2018 at 1:29 pm

Funny how the “desktop” client for Whatsapp is also basically a wrapper for web.whatsapp.com.

After mulling on it for a while, I now decided to use it on a browser because its functionally the same without bugs from the desktop wrapper.

LikeLike

Reply
John Hardy says:

May 13, 2018 at 1:31 pm

Yes and they will get better. Progressive web apps will eventually render Electron apps unnecessary.

LikeLike

Reply
Meng Shen Lim says:

May 13, 2018 at 1:41 pm

John Hardy Turnbull delenda est Unless that person has gotten used to the ideas in Chrome OS (apps are basically PWAs), perhaps people have gotten used to the idea of clicking that Internet icon thing and typing out, then autofilling the name of the site/ open bookmark for the “apps” they use.

Maybe its just me but if people are to be retrained/retaught in their thinking of web sites like FB/Instagram as apps, would people readily embrace PWAs or pfft, old fashioned way is the way?

Even I absent mindedly open Spotify’s web client although I have installed the desktop clients on the machines I use. I am getting on with age already..

LikeLike

Reply
Ramin Honary says:

May 13, 2018 at 2:16 pm

Just putting this out there: X11 over SSH is still a thing, lots of widget toolkits are built on top of it, and it’s easier than ever before to port more libX11 client apps to more operating systems!!!

It’s still a no-go on touch screen devices, but if we’re talking about desktop apps, then why not?

LikeLike

Reply
Chris Knutson says:

May 14, 2018 at 3:42 pm

My money is on this being an Electron issue.

LikeLike

Reply
John Hardy says:

May 14, 2018 at 9:07 pm

Subatomic particles are definitely involved at some level.

LikeLike

Reply

Share this:

Related

Published by John Hardy

10 thoughts on “Remote attackers just need to send a message 💬 on Signal to inject & execute malicious code onto targeted…”

Leave a comment Cancel reply