Leonardo Porpora (pseudonym n0sign4l), a 17-year-old high school student from Arezzo, Tuscany-Italy, has discovered an easy to exploit vulnerability in popular encrypted messaging app Signal for iOS that would let malicious hackers bypass the authentication process and access user chats.
According to Leonardo, the vulnerability affects all versions of the application before 126.96.36.199.
The vulnerability works in such a way that it allows attackers to bypass password protection and TouchID with a certain sequence of actions.
In his blog post, Leonardo stated that in Signal’s version 2.23 and below, an attacker can follow below mention steps to access the main application window without authentication. Though, it requires the attacker to have a physical access to the targeted device.
1. Open the app
2. Press the cancel button
3. Click the Home button
4. Open the app again.
A CVE (CVE-2018-9840) has also been assigned this vulnerability. “The Open Whisper Signal app before 2.23.2 for iOS allows physically proximate attackers to bypass the screen locker feature via certain rapid sequences of actions that include app opening, clicking on cancel, and using the home button.”
Video Demonstration 1
“I am all for human rights and Edward Snowden is my inspiration due to his bravery and value, even when he faced hard consequences for his actions,” Leonardo told me on phone. “To me, he is a really special person and I consider him like a brother.”
For those who are not aware, the password-protected access to Signal app was introduced by the company on April 3rd, 2018. “I started the application testing and code analyzing at the same time. Leonardo said. “The day after the release, I found a method to bypass the Signal Screen Locker for iOS.”
“I verified that the error was reproducible and, having checked it on several devices, I had a look at the source code and found the bug that held this security problem. When the screen was unlocked Signal app recorded date and time of the event, but even if you didn’t unlock it – returning to the home page by clicking delete / cancel as an example – this value was updated, restoring the unlock time-out and allowing unauthorized access,” explained Leonardo.
Leonardo reported the vulnerability to Signal whose security team was quick to issue a patch however, the fix was partial since the version 188.8.131.52 was still vulnerable to screen locker bypass, with a slightly different click sequence including following steps:
1. Open the app
2. Click cancel button
3. Click home button
4. Double click on the home button
5. Close the app
6. Open the App
7. Click cancel button
8. Click once the home button
9. Open the app
10. You can see Signal main screen without having been asked for the Password or TouchID
Video Demonstration 2
The good news is that Leonardo has reported the second issue to Signal and at the time of publishing this article, the issue was fixed in Signal app’s version 2.23.2.
Signal has also acknowledged Leonardo’s work by stating on its iOS download page’s description under the “What’s New” section that “This release fixes a bug that made it possible to bypass the new Screen Lock feature. Thanks to Leonardo Porpora for reporting this issue.”
Remember, Signal app on Android and iOS have millions of users worldwide who depend on the app’s security and privacy features. For a 17-year-old to find a vulnerability and report it to the company shows the InfoSec industry will welcome highly talented and honest people in the near future.
If you are using Signal app on iOS make sure it is updated to the latest version and do not leave your phone unattended in public places.