Signal fixes bug that lets attackers corrupt encrypted attachments [Updated]
This post has been rewritten throughout to make clear that the MAC-bypass vulnerability allows attackers to append pseudorandom data to encrypted attachments. It doesn’t allow attackers to choose the underlying plaintext of the tampered attachment or to replace one attachment with another. The revision also makes clear that the compression is effective only while the modified attachment is in transit, and must be decompressed to a size of more than 4 gigabytes once received by the other party. Last, the revisions remove analysis about nation-sponsored attackers, because they aren’t likely to exploit this kind of bug. The reporter initially misunderstood the research and didn’t confirm it with Signal developers before publishing. The reporter regrets the error.
Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to add random data to the attachments of encrypted messages sent by Android users. The update is available on this Github submission, but isn’t yet available in the Google Play market for Android apps.
The message authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised or impersonated a Signal server to modify a valid attachment by adding random data to it. A second bug possibly would have allowed attackers to remotely execute malicious code, but Vervier told Ars that a third bug limited exploits to a simple remote crash.