Open Striker789 opened 9 months ago
stale[bot]
commented
7 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
commented
7 months ago This issue has been closed due to inactivity.
stale[bot]
commented
5 months ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
stale[bot]
commented
4 months ago This issue has been closed due to inactivity.
I had tested out if a non contact user intiated various stages of media attachments including voice recordings. I had found that Signal does not process media attachments except stickers. Theoretically and practically speaking this is can abused to deliver malicious code. This had been seen on Telegram (https://www.shielder.com/blog/2021/02/hunting-for-bugs-in-telegrams-animated-stickers-remote-attack-surface/) . Nonetheless, Signal offered that each individual can create their own stickers based off of their personal preference which furthers the extent of this issuee.
Henceforth, in order to prevent such an attack vector would it not be better that Signal prevent the loading of Stickers if the individual is not registered on the recipients contacts list?
I would like to also add that Signal uses Webp format for stickers. While WebP files have not been widely used to deliver malware, there have been some instances where attackers have attempted to use WebP files to deliver malicious code.
For example, in 2018, security researchers discovered a spam campaign that was distributing malicious PowerPoint documents that contained WebP images with embedded JavaScript code. When the PowerPoint file was opened, the embedded code would execute and download additional malware onto the victim’s computer.
There have also been advanced compression methods used by APTs and other surveillance vendors that used compression mechanisms to deliver java script exploits. The issue is that Signal’s library that processes the incoming media can be exploited if a sufficient exploit chain is found (nothing is 100% secure and this claim cannot be refuted since statistically speaking vulnerabilities cannot be eliminated). This is a research conducted by Google Project Zero (https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html?m=1) indicating the level of complexity by Advanced peristent Threats and it’s use of file formats to deliver malware. Therefore, it would be best to prevent this vector of attack by not auto-downloading stickers unless the sender is registered on the contact list.
Just a couple thoughts!