Signal may be the most trusted messaging app, but it's not perfect.

https://i.imgur.com/l4IAZn7.jpg

Signal, the mobile messaging app recommended by NSA leaker Edward Snowden and a large number of security professionals, just fixed a bug that allowed attackers to tamper with the contents of encrypted messages sent by Android users.

The authentication-bypass vulnerability was one of two weaknesses found by researchers Jean-Philippe Aumasson and Markus Vervier in an informal review of the Java code used by the Android version of Signal. The bug made it possible for attackers who compromised a Signal server or were otherwise able to monitor data passing between Signal users to replace a valid attachment with a fraudulent one. A second bug possibly would have allowed attackers to remotely execute malicious code, but a third bug made limited exploits to a simple remote crash.

"The results are not catastrophic, but show that, like any piece of software, Signal is not perfect," Aumasson wrote in an e-mail. "Signal drew the attention of many security researchers, and it's impressive that no vulnerability was ever published until today. This pleads in favor of Signal, and we'll keep trusting it."

The attachment-spoofing vulnerability was the result of an integer overflow bug that was triggered when extremely large files were attached to a message. Instead of verifying the authenticity of the entire file, Signal would check only a small portion, making it possible for attackers to append fraudulent data that wouldn't be detected by the MAC (message authentication code) that's a standard part of most encryption schemes. To make such attacks practical, an adversary could use file compression that's supported by Signal to reduce the size of the malicious attachment to a manageable 4 megabytes.

In his e-mail, Aumasson said the overflow bug was found in the following line of code:

int remainingData = (int) file.length() - mac.getMacLength();

He explained:

Here, the value "file.length()" is a number encoded on 64 bits (of type "long"), whereas the receiving variable "remainingData" is a number encoded on 32 bits (of type "int"). Therefore, when "file.length()" is longer than what fits in a 32-bit number, the value of "remainingData" (the number of bytes left to process) will be incorrect, as it will be much smaller than the real size of the file. Consequently, a large part of the file will be ignored when Signal will verify the cryptographic authenticity. Signal will only check the (small) beginning of the file, whereas the user will actually receive the much larger file.
One of the reasons for Signal's appeal is that it deploys end-to-end encryption, meaning it encrypts a message on the sender's device and doesn't decrypt it until it is safely stored on the receiving device. Still, the encrypted message passes through a server. The authentication bypass exploit could be carried out by hacking or impersonating such a server and then tampering with message attachments. To circumvent transport-layer security protections, an impersonating attacker might compromise any one of the hundreds of certificate authorities trusted by the Android operating system or trick targets into installing a rogue CA certificate on their devices. Additional details about the vulnerabilities are here.
While the hack is by no means trivial to carry out, it's within the capability of the kind of nation-sponsored adversaries included in the threat model of many Signal users. The researchers privately reported the vulnerabilities to Signal developer Open Whisper Systems on September 13 and the company has already issued an update. Aumasson and Vervier—who are the principal research engineer at Kudelski Security and CEO and head of security research at X41 respectively—said they're still working to determine if the same bugs can be exploited in WhatsApp, the Facebook messaging app that also relies on Signal code.