We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny). They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. Inside iframes, everything was possible, even loading code from an SMB share!. This enables an atacker to execute remote code without caring about CSP. Juliano worked on this with Alfredo, along with trying to get a manageable segmentation fault.https://twitter.com/HacKanCuBa/status/994966245857529857 Shortly after publishing the above Twitter notification on 11 May, the security researchers reached out to Signal. The encrypted messaging app's security folks confirmed they were working on a patch two hours later. It took just another hour more for Signal's security team to release a patch. Iván Ariel Barrera Oro was surprised at how quickly Signal released the fix, especially given its size. He therefore decided to have a look at the patch file's history. It's then that he discovered that the messaging app had previously created the fix but had removed it on 10 April to fix an linking issue. The security researcher admitted he still has his doubts about the patch file:
I’m still not convinced about that regex and I’m afraid someone might exploit it, specially those resourceful three-letter agencies….Signal users should consider updating their software as soon as possible.