Researchers have discovered two vulnerabilities in Signal for desktop that could allow local attackers to access attachments sent by the user in the past or replace the files with poisoned clones.
The flaws are present on all Signal clients for desktop, including Windows, Linux, and macOS, since they all share the same codebase, and all versions up to the most recent, v6.2.0.
The vulnerabilities, tracked as CVE-2023-24068 and CVE-2023-24069, were discovered by independent security researcher John Jackson, who laid out the process of finding them in a blog on his site.
Signal stores message attachments in unencrypted form in an unprotected directory on the computer, giving them a random alphanumeric name and an extension not associated with any software.
However, an attacker with local access to the device, either through physical access or after infecting the target with malware, could modify the extension to make it possible to open them with the proper application. For example, image files can be retrieved by adding the PNG extension, documents can be retrieved with PDF or DOC, etc.
Jackson also discovered that if the user wipes them from within the Signal client, it’s still possible to retrieve them and make them reappear in the said directory by replying to the attachment message.
This vulnerability received the identifier CVE-2023-24069 and does not have a severity rating yet.
The second flaw, tracked as CVE-2023-24068, concerns a lack of a validation mechanism in Signal desktop, which makes it impossible for users to determine if the locally stored attachments have been tampered with.
Theoretically, a local attacker could poison the files and wait for the victim to forward them to their peers, infecting them with malware/spyware.
The exploitation of the second flaw is more complicated and depends on several prerequisites, but it wouldn’t be unrealistic in certain settings where the victim frequently shares files with their colleagues.
Signal has rejected the importance of Jackson’s findings and disputed the assignment of the associated CVE-IDs on the CVE Program.
The president of Signal, Meredith Whittaker, stated on Twitter that it’s not within the software’s scope to protect users from such a level of compromise, where attackers have local access to the target systems.
Hence, it can be concluded that the developers of the secure instant messenger app do not plan to introduce additional security mechanisms to validate attachments or purge locally stored files properly.
If you’re overly worried about the exploitation scenarios described above, you may simply stick to the mobile version of Signal, which isn’t impacted by the newly discovered flaws.