Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

XSS flaw in Wire messaging app allowed attackers to ‘fully control’ user accounts

The maintainers of the Wire secure messaging app have patched the software against two security vulnerabilities, one of which could have allowed an attacker to “fully control” user accounts.

Based in Germany with offices in the US, Sweden, and Switzerland, Wire is a free and open source secure messaging platform with commercial options for enterprise customers.

After reviewing the platform, independent security researcher Kane Gamble discovered two vulnerabilities impacting the web and iOS versions of Wire.

Wire, tapped

The first flaw, present in Wire web app versions 2021-05-10 and earlier, is a cross-site scripting (XSS) issue involving the createObjectURL image handler.

Tracked as CVE-2021-32683, XSS could be achieved when a user opens an image tainted with extracts of malicious code. In addition to the actual picture, the image’s malicious payload is executed on app.wire.com.

Successful exploitation would allow an attacker to masquerade as a compromised Wire user and, according to a related GitHub advisory, “allows the attacker to fully control the user account”.

“Wire didn’t validate whether a real image is uploaded or not, so you could change the content-type to text/HTML, allowing malicious JavaScript to be executed,” Gamble told The Daily Swig.

“So, if you upload a valid image with an XSS payload at the bottom, the image is rendered fine. But once opened in a new tab, the XSS is then fired.”

The second flaw discovered by the researcher was a less severe denial of service (DoS) issue (CVE-2021-32666) in the iOS version of Wire, where the inclusion of the ” [quotation mark] character in an invalid assetID would crash the client.

“When we schedule the request to fetch the invalid asset, it’s not possible to create the URL object since the path contains an illegal URL character,” a related advisory explains.

“This will in turn trigger an assertion which crashes the app.”

Coordinated disclosure

Both vulnerabilities were subject to a coordinated disclosure process between Gamble and the Wire security team.

“The DoS was fixed in version 3.81 and the stored XSS was patched in version 2021-06-01-production.0 [released June 1],” Gamble said.

“No update is required by the user other than updating your Wire on your iOS device if it hasn’t done so automatically.”

A Wire spokesperson confirmed that there has been no evidence of active exploitation of either of these bugs in the wild.

Advertisement. Scroll to continue reading.

“The vulnerabilities were responsibly disclosed to us by a vulnerability researcher and after confirming their validity we fixed and released them as quickly as possible,” the spokesperson said.

“We also proactively published the vulnerabilities as CVEs for full transparency.”

Source: https://portswigger.net/daily-swig/xss-flaw-in-wire-messaging-app-allowed-attackers-to-fully-control-user-accounts

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies three weeks to secure Adobe ColdFusion servers on their networks against two...

Cyber Security

Businesses and developers are focusing more on the security of applications in their digital environment as cyber threats and data breaches continue escalating. The...

Cyber Security

HCL BigFix is an endpoint management platform that has the capability to automate discovery, management, and remediation. It can find and fix vulnerabilities on...

Cyber Security

The Environmental Protection Agency cited a lack of resources and the sheer volume of critical vulnerabilities as the reasons for its inability to patch...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO