It only took five hours to close a critical vulnerability in Signal’s desktop client
A critical vulnerability found in the desktop version of secure messaging app Signal was patched less than five hours after disclosure to the developers, a rapid response that’s earned some plaudits from observers. Security researchers detailed a remote code execution flaw in the Signal desktop application across Windows, Mac OSX and Linux operating systems. A hacker could execute code on a targeted system just by sending a message to the victim because Signal’s desktop app failed to sanitize specific HTML tags that can inject HTML code into remote chat windows. “The critical thing here was that it didn’t require any interaction form[sic] the victim, other than simply being in the conversation,” the researchers wrote. “Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action. And it is platform independent!” Joshua Lund, a developer at Signal, commented that “exploiting this requires the attacker […]
The post It only took five hours to close a critical vulnerability in Signal’s desktop client appeared first on Cyberscoop.