Cybersecurity researcher John Jackson has published a study on two vulnerabilities he’s found in the Signal messenger desktop client — CVE-2023-24069 and CVE-2023-24068. The expert is sure that malefactors can exploit these vulnerabilities for espionage. Since Signal desktop applications for all operating systems have a common code base, both vulnerabilities are present not only in the Windows client, but in the MacOS and Linux clients as well. All versions up to the latest (6.2.0) are vulnerable. Let’s look at how real the threat is.
The CVE-2023-24069 and CVE-2023-24068 vulnerabilities: what gives?
The first vulnerability, CVE-2023-24069, lies in an ill-conceived mechanism that handles files sent via Signal. When you send a file to a Signal chat, the desktop client saves it in a local directory. When a file is deleted, it disappears from the directory… unless someone answers it or forwards it to another chat. Moreover, despite the fact that Signal is positioned as a secure messenger and all communications via it are encrypted, the files are stored in unprotected form.
The second vulnerability, CVE-2023-24068, was found upon closer study of the client. It turns out that the client lacks a file validation mechanism. Theoretically, this allows an attacker to replace them. That is, if the forwarded file is opened on the desktop client, someone could replace it in the local folder with a forged one. Therefore, with further transfers, a user will distribute the switched file instead of the one they were intended to forward.
How might these vulnerabilities be dangerous?
The potential risks posed by CVE-2023-24069 are more or less understandable. If a user of Signal’s desktop version leaves their computer unlocked and unattended, someone could gain access to files sent through Signal. The same thing may happen if full disk encryption is enabled on the computer and the owner tends to leave it somewhere unattended (in hotel rooms, for example).
The exploitation of the second vulnerability requires a more comprehensive approach. Let’s say a person frequently receives and sends files through the Signal desktop app (for example, a manager sending tasks to subordinates). Here, an attacker with access to this computer can replace one of the files, or, for the sake of stealth, modify an existing document, for example by inserting a malicious script into it. Thus, with further transfers of the same file, its owner will spread the malware to their contacts.
It’s important to emphasize that exploitation of both vulnerabilities is possible only if the attacker already has access to the victim’s computer. But this isn’t an unreal scenario — we’re not necessarily talking about physical access. It would be enough to infect the computer with malware that allows outsiders to manipulate files.
How to stay safe?
According to the CVE Program, Signal developers disagree with the importance of these vulnerabilities, stating that their product should not and cannot protect from attackers with this level of access to the victim’s system. Therefore, the best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general). But if your working process requires it for some tasks, then we recommend the following:
- teaching your employees not to leave an unlocked computer unattended;
- always using full disk encryption on working devices;
- employing security solutions that can detect and stop malware and attempts at unauthorized accessing of your data.