A few days ago some researchers discovered an HTML Injection vulnerability in Signal Desktop and they wrote a public disclosure. The Signal team quickly released an update on May 11th, the problem was in the file /js/views/message_view.js.
Reading the changes to message_view.js, it seemed that the Signal team had only fixed the “problem of the URL". So, maybe, I could still inject HTML code somehow. In Signal Desktop there are not many features, so I have tried to write me a basic message:
<b>PROVA</b>. Obviously nothing happened. So I have tried to use the feature Reply to message, and BINGO! My original message
<b>PROVA</b> has become
The vulnerability is the same of the first report, the difference is that the attacker must send two messages: the first message is the HTML code, the second message is the reply to the first to execute the code. I found this vulnerability on May 15, but a few hours later it was fixed with an update (v 1.11.0), before I sent the report to the Signal developers. Someone (@mis2centavos) tweeted about the new vulnerability a few hours before me.
Proof of Concept
15/05/2018 - Signal Desktop is updated to version 1.11.0