Remote zero-click JavaScript code execution on signal desktop message app. Thanks and
Conversation
Signal desktop app is based on the insecure Electron runtime. See my report here:
5
47
126
I wish I could feel the sweet "I told you so, fuckers" sensation you are having right now.
1
79
Show replies
This Tweet was deleted by the Tweet author. Learn more
4
There are quite a few identically implemented chat clients. I wonder if this is also exploitable on those:
whatsapp messengerfordesktop slack...
1
5
Wow, reproduced this. I can't believe this trivial of a mistake was made and not caught before deployment. The patch looks very sketchy too, I doubt it can't be bypassed. Nice work folks!
1
1
18
Quote Tweet
Signal just pushed an update to the desktop app that fixes the bug @ortegaalfredo showed on Twitter this afternoon. github.com/signalapp/Sign
Show this thread
4








