{"id":20597,"date":"2023-01-25T06:17:38","date_gmt":"2023-01-25T11:17:38","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/signal-desktop-file-vulnerabilities\/20597\/"},"modified":"2023-01-25T19:43:07","modified_gmt":"2023-01-25T15:43:07","slug":"signal-desktop-file-vulnerabilities","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/signal-desktop-file-vulnerabilities\/20597\/","title":{"rendered":"Newly-discovered Signal vulnerabilities \u2014 how dangerous are they?"},"content":{"rendered":"

Cybersecurity researcher John Jackson has published a study<\/a> on two vulnerabilities he\u2019s found in the Signal messenger desktop client \u2014 CVE-2023-24069<\/a> and CVE-2023-24068<\/a>. The expert is sure that malefactors can exploit these vulnerabilities for espionage. Since Signal desktop applications for all operating systems have a common code base, both vulnerabilities are present not only in the Windows client, but in the MacOS and Linux clients as well. All versions up to the latest (6.2.0) are vulnerable. Let\u2019s look at how real the threat is.<\/p>\n

The CVE-2023-24069 and CVE-2023-24068 vulnerabilities: what gives?<\/h2>\n

The first vulnerability, CVE-2023-24069, lies in an ill-conceived mechanism that handles files sent via Signal. When you send a file to a Signal chat, the desktop client saves it in a local directory. When a file is deleted, it disappears from the directory\u2026 unless someone answers it or forwards it to another chat. Moreover, despite the fact that Signal is positioned as a secure messenger and all communications via it are encrypted, the files are stored in unprotected form.<\/p>\n

The second vulnerability, CVE-2023-24068, was found upon closer study of the client. It turns out that the client lacks a file validation mechanism. Theoretically, this allows an attacker to replace them. That is, if the forwarded file is opened on the desktop client, someone could replace it in the local folder with a forged one. Therefore, with further transfers, a user will distribute the switched file instead of the one they were intended to forward.<\/p>\n

How might these vulnerabilities be dangerous?<\/h2>\n

The potential risks posed by CVE-2023-24069 are more or less understandable. If a user of Signal\u2019s desktop version leaves their computer unlocked and unattended, someone could gain access to files sent through Signal. The same thing may happen if full disk encryption is enabled on the computer and the owner tends to leave it somewhere unattended (in hotel rooms, for example).<\/p>\n

The exploitation of the second vulnerability requires a more comprehensive approach. Let\u2019s say a person frequently receives and sends files through the Signal desktop app (for example, a manager sending tasks to subordinates). Here, an attacker with access to this computer can replace one of the files, or, for the sake of stealth, modify an existing document, for example by inserting a malicious script into it. Thus, with further transfers of the same file, its owner will spread the malware to their contacts.<\/p>\n

It\u2019s important to emphasize that exploitation of both vulnerabilities is possible only if the attacker already has access to the victim\u2019s computer. But this isn\u2019t an unreal scenario \u2014 we\u2019re not necessarily talking about physical access. It would be enough to infect the computer with malware that allows outsiders to manipulate files.<\/p>\n

How to stay safe?<\/h2>\n

According to the CVE Program, Signal developers disagree<\/a> with the importance of these vulnerabilities, stating that their product should not and cannot protect from attackers with this level of access to the victim\u2019s system. Therefore, the best advice would be not to use the desktop version of Signal (and desktop versions of messengers in general). But if your working process requires it for some tasks, then we recommend the following:<\/p>\n