It only took five hours to close a critical vulnerability in Signal’s desktop client

Researchers and developers working in harmony. It can be done!
(Emma Whitehead/Getty/Open Whisper Systems)

A critical vulnerability found in the desktop version of secure messaging app Signal was patched less than five hours after disclosure to the developers, a rapid response that’s earned some plaudits from observers.

Security researchers detailed a remote code execution flaw in the Signal desktop application across Windows, Mac OSX and Linux operating systems. A hacker could execute code on a targeted system just by sending a message to the victim because Signal’s desktop app failed to sanitize specific HTML tags that can inject HTML code into remote chat windows.

“The critical thing here was that it didn’t require any interaction form[sic] the victim, other than simply being in the conversation,” the researchers wrote. “Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action. And it is platform independent!”

Joshua Lund, a developer at Signal, commented that “exploiting this requires the attacker to first manually place malware (a malicious JavaScript file) on your computer or on a Samba network share that your computer is already connected to.”


The problem was first discovered late last Thursday. Researchers disclosed the issue to Signal’s developers on Friday around 1 p.m. By 5 p.m., a security update — version 1.10.1 — was published.

Open Whisper Systems, which develops Signal, did not respond to a request for comment.

Signal’s applications and technology have been gaining prominence of late. Microsoft’s adoption of Signal’s encryption protocol followed similar moves by Facebook, WhatsApp and Google. The technology is used chats for billions of users.

The Signal Foundation, a newly founded nonprofit, recently took in $50 million from WhatsApp founder Brian Acton.

Latest Podcasts