The developers of the Wire secure messaging app have patched the software against two critical security flaws, one of which could allow an attacker to takeover target users’ accounts. Specifically, the first of the two includes a cross-site scripting (XSS) vulnerability that allowed an attacker to fully control user accounts. The flaw tracked as, CVE-2021-32683, typically impacted the web app version 2021-05-10 and earlier.
According to security experts, threat actors often execute an XSS attack by sending a malicious link to a user and prompting the user to click it. If the app or website lacks proper security protocols, the malicious link executes the attacker’s chosen code on the user’s device. As a result, the attacker can steal the user’s active session cookie.
Kane Gamble, an independent security researcher discovered two security issues in Wire Messenger versions for web and iOS. Headquartered in Germany with branches in the US, Sweden, and Switzerland, Wire is a popular messaging platform featuring audio, video, and text communications secured via end-to-end encryption with more than 500,000 users.
The second flaw discovered by the researcher was a less critical denial of service (DoS) issue (CVE-2021-32666) in the iOS version of Wire.
“When we schedule the request to fetch the invalid asset, it’s not possible to create the URL object since the path contains an illegal URL character. This will in turn trigger an assertion which crashes the app,” the security researcher explained.
Both flaws were subject to a coordinated disclosure process between Gamble and the Wire security team. “The DoS was fixed in version 3.81 and the stored XSS was patched in version 2021-06-01-production.0 [released June 1]. No update is required by the user other than updating your Wire on your iOS device if it hasn’t done so automatically,” Gamble further added.
A Wire spokesperson showed that there is no evidence of active exploitation of any of these bugs in the wild.
“The vulnerabilities were responsibly disclosed to us by a vulnerability researcher and after confirming their validity we fixed and released them as quickly as possible. We also proactively published the vulnerabilities as CVEs for full transparency,” the spokesperson said.