18 June 2021 at 11:46 UTC
Updated: 18 June 2021 at 13:12 UTC
Security fixes pushed down the wire
The maintainers of the Wire secure messaging app have patched the software against two security vulnerabilities, one of which could have allowed an attacker to “fully control” user accounts.
Based in Germany with offices in the US, Sweden, and Switzerland, Wire is a free and open source secure messaging platform with commercial options for enterprise customers.
After reviewing the platform, independent security researcher Kane Gamble discovered two vulnerabilities impacting the web and iOS versions of Wire.
The first flaw, present in Wire web app versions 2021-05-10 and earlier, is a cross-site scripting (XSS) issue involving the image handler.
Tracked as CVE-2021-32683, XSS could be achieved when a user opens an image tainted with extracts of malicious code. In addition to the actual picture, the image’s malicious payload is executed on app.wire.com.
Successful exploitation would allow an attacker to masquerade as a compromised Wire user and, according to a related GitHub advisory, “allows the attacker to fully control the user account”.
RECOMMENDED GitLab fixes serious SSRF flaw that exposed orgs’ internal servers
“So, if you upload a valid image with an XSS payload at the bottom, the image is rendered fine. But once opened in a new tab, the XSS is then fired.”
The second flaw discovered by the researcher was a less severe denial of service (DoS) issue (CVE-2021-32666) in the iOS version of Wire, where the inclusion of the [quotation mark] character in an invalid would crash the client.
“When we schedule the request to fetch the invalid asset, it’s not possible to create the URL object since the path contains an illegal URL character,” a related advisory explains.
“This will in turn trigger an assertion which crashes the app.”
Both vulnerabilities were subject to a coordinated disclosure process between Gamble and the Wire security team.
“The DoS was fixed in version 3.81 and the stored XSS was patched in version 2021-06-01-production.0 [released June 1],” Gamble said.
“No update is required by the user other than updating your Wire on your iOS device if it hasn’t done so automatically.”
Read more of the latest infosec research news
A Wire spokesperson confirmed that there has been no evidence of active exploitation of either of these bugs in the wild.
“The vulnerabilities were responsibly disclosed to us by a vulnerability researcher and after confirming their validity we fixed and released them as quickly as possible,” the spokesperson said.
“We also proactively published the vulnerabilities as CVEs for full transparency.”
YOU MIGHT ALSO LIKE Enter the Matrix: Secure communications network hits 30 million user milestone
Did S.F. parent advisory council exclude Chinese folks from joining?
The San Francisco faculty district will scrutinize a controversial mother or father advisory council subsequent statements that Chinese mom and...
Paid out parental go away could bolster advisor retention and consumer relationships
But the fact his employer and his staff supported his final decision to just take parental go away designed that...
THE PARENTAL ADVISORY COMEDY Exhibit Returns To MCCC’s Kelsey Theatre This Thirty day period
Enter the laughter zone! The Vibe With Ky and Kelsey Theatre are happy to announce the return of "The Parental...
“The Parental Advisory Comedy Show” returns to Kelsey Theatre April 21-22
originally published: 04/13/2023 Photo credit: Kyrus Keenan Westcott(WEST WINDSOR, NJ) -- Enter the laughter zone! The Vibe With Ky and Kelsey...
On Some Bull Shit: Parental Advisory
Photographed by Los Networkingz OSBS are good wherever they go, thanks to the streets. The Los Angeles duo comprised of...
Star Heroine gives Parental Advisory for seeing these 5 pho
Star Heroine gives Parental Advisory for seeing these 5 pho The descriptions, which are just as excellent as the mind-blowingly...