CVE-2018-14023 – Recovering expired messages from Signal

An Italian cybersecurity passionate discovered that it was possible to recover the expired messages from Signal version 1.14.3,

Advisory ID:	n0sign4l-002	Risk level:	4 / 5
Title:	Signal Desktop – Recover Expired Messages	Credit:	Leonardo Porpora – ‘n0sign4l’
Product:	Signal	CVE:	CVE-2018-14023
Version:	1.14.3 and prior	Public Disclosure: 17/08/2018
Vendor:	Open Whisper System

Details

Signal version 1.14.3 was vulnerable to the recovery of expired messages.
When I reported the vulnerability to the Signal Security Team, its experts fixed it in a very short time, but the fix was partial; in fact version 1.14.4, even though fixed one vulnerability, was still vulnerable to a different attack. I reported the new issue to the security team and version 1.15.0-beta.10 finally addressed the problem.

Everything started from a message that was not cleared from the preview of Signal-Desktop

so I said this message must be stored somewhere…, I tried to dump the memory and BOOM 🙂 the message was still there. Messages were stored in the log [I think to double check that they are actually deleted] but they did not clear them with a garbage collector or whatever so I was able to recover them].

The version 1.14.4 fixed this issue but I wanted to try if it was possible to recover messages again from the logs and they were still there. The issue was related to IndexedDB not deleting messages predictably.

Below a video PoC of the vulnerability:

Loading video

Solution

Update Signal to version 1.15.0-beta.10

Final thoughts:

I am very happy to have contributed to the security of Signal, an application that I use every day to talk with my friends, professors…

My contribution was also possible because this is an open-source project and other than just reporting the security hole I had the opportunity to analyze the source code and highlight the flaw.

This is a small example of how effective is the open-source model and I hope everyone can understand the benefits of the community contribution in data protection field so that everybody can provide contributions.

Sorry I can not hear you, there’s interference

n0sign4l 🙂

About the author Leonardo Porpora

I am 17 years old and since I started dealing with informatics and cybersecurity I have been inspired by E. Snowden character, bravery, and value, even when he faced hard consequences for his actions. To me, he is a really special person and I consider him like a brother.

Defending human rights – and privacy in particularly – is a must in a democratic society and for this reason, in my opinion, everybody should use Signal messaging application for their communications.

Original post @ http://n0sign4l.blogspot.com/2018/08/advisory-id-n0sign4l-002-risk-level-4-5.html

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Securi ty Affairs – Signal, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Next An Australian schoolboy hacked into Apple Servers and stole 90GB of secure files »

Previous « Black Hat 2018 - Expert demonstrated a new PHP code execution attack

Published by

Pierluigi Paganini

Tags: CVE-2018-14023Pierluigi PaganiniSecurity AffairsSignal

7 years ago

How Interlock Ransomware Affects the Defense Industrial Base Supply Chain

Interlock Ransomware 's attack on a defense contractor exposed global defense supply chain details, risking…

9 hours ago

Data Breach

Marks and Spencer confirms data breach after April cyber attack

Marks and Spencer (M&S) confirms that threat actors stole customer data in the ransomware attack…

11 hours ago

Cyber Crime

Moldovan Police arrested a 45-year-old foreign man participating in ransomware attacks on Dutch companies

A 45-year-old foreign man has been arrested in Moldova for allegedly participating in ransomware attacks…

17 hours ago

APT group exploited Output Messenger Zero-Day to target Kurdish military operating in Iraq

A Türkiye-linked group used an Output Messenger zero-day to spy on Kurdish military targets in…

18 hours ago

Security

Apple released security updates to fix multiple flaws in iOS and macOS<gwmw style="display:none;"></gwmw>

Apple released security updates to address easily exploitable vulnerabilities impacting iOS and macOS devices. Apple…

23 hours ago

Hacking

U.S. CISA adds TeleMessage TM SGNL to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds TeleMessage TM SGNL flaw to its Known…

1 day ago