Makeover of Conversation Attachments Allows Malicious Modifications

CVE-2023-24068

What is CVE-2023-24068?

The CVE-2023-24068 vulnerability affects the Signal Desktop application on Windows, Linux, and macOS. It allows an attacker to modify conversation attachments within the attachments.noindex directory, potentially inserting or replacing malicious code in pre-existing attachments. The impact includes the ability to masquerade malware as legitimate files and distribute them to external groups without changing the name or size of the file. Exploitation would require local access to the victim's system. The vendor has disputed the relevance of the finding, stating that the product is not intended to protect against this level of local access. However, security experts recommend using full disk encryption, not leaving computers unattended, and employing security solutions to mitigate the risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

News Articles

The Security Ledger

CVE-2023-24068CVE-2023-24069

Beware: Images, Video Shared on Signal Hang Around

Photos and video files shared in Signal secure messaging app chats may be hanging around, even after the messages in which they were shared are deleted.

InfoSec Write-ups

CVE-2023-24069CVE-2023-24068

Signal Client v6.2 and earlier versions vulnerable to CVE-2023–24068 & CVE-2023–24069

After I read the PoC from John Jackson, I had to try. I ran into my computer and checked the version of the Signal Client that I had installed. The version is 6.2.0, which is allegedly vulnerable. So…

RestorePrivacy

CVE-2023-24069CVE-2023-24068

Signal for Desktop is Vulnerable to Attachments Exposure

Two flaws in Signal could allow local attackers to access attachments sent by the user in the past or replace the files with poisoned clones.

More News...

References