The popular secure messaging application Signal has resolved a security issue that allowed attackers to add data to the attachments sent by Android users.
Attackers Were Able to Insert Data into Attached Signal Messages
Signal is the app that rose to fame after Edward Snowden recommended it to the public. Security experts have also used it in their correspondence both at work and at home.
The security issue is a message authentication bypass vulnerability. The problem was discovered by the researchers Jean-Philippe-Aumasson and Markus Vervier in an informal audit of the Android version.
The bug allows attackers who have compromised or impersonated a Signal server relay to change a valid attachment by inserting random data. A second problem that was identified by the same research team discovered that attackers could also remotely execute malicious code. However, a Signal spokesman has said that this is not possible due to another bug configuration which renders the code to just executing a remote crash.
The attachment corruption issue is the result of an integer overflow problem that is triggered when files larger than 4 gigabytes are attached to a message. Signal doesn’t check the authenticity of the whole file, but only a small portion. This gives malicious users the ability to insert pseudorandom data that cannot be detected by the message authentication code (MAC) which is a standard feature of most encryption mechanisms. The criminal can also use file compression to reduce the malicious attachment when it is being sent.
The Security researchers have disclosed the vulnerabilities to Signal on September 13. A software update has been committed to the GitGub repository, but it is still not compiled in the Google Play store. A security audit that seeks to analyze if the bug affects WhatsApp and the Facebook Messenger is in progress. These applications use Signal code, and they may be affected.