Wire messenger users may have been affected by a critical security flaw. A cross-site scripting (XSS) vulnerability was discovered in the Wire app, which may be exploited to allow an adversary to gain control of target users’ accounts.
XSS Vulnerability
Kane Gamble, a security researcher, discovered two vulnerabilities in the web and iOS versions of Wire Messenger. Wire is a popular messaging application that offers end-to-end encrypted audio, video, and text communications.
The first of the two vulnerabilities is a cross-site scripting (XSS) flaw that enables attackers to take control of Wire app users’ accounts. CVE-2021-32683 is a vulnerability that mostly affected web app version 2021-05-10 and earlier. An attacker could take control of the victim’s user account if this vulnerability is exploited.
In a GitHub advisory, Wire described the bug’s impact as follows:
“If a user is instructed to open an image in a new tab (right click -> open in new tab, or copy the URL and paste it in the URL bar), an the [sic] image payload is executed on the domain hosting the app (app.wire.com).”
Furthermore, the second vulnerability was less severe than the first, yet it still had a negative influence. This vulnerability (CVE-2021-32666), according to Wire’s advisory, might result in a denial of service.
“If a user has an invalid assetID for his/her profile picture and it contains the ” character it will cause the iOS client to crash.”
Wire iOS app versions 3.8.0 and earlier were impacted by the vulnerabilities.
Deployment of Patch
Officials of Wire worked to produce patches for both the flaws after receiving bug reports from the researcher.
As a result, the developers patched the Wire web app version 2021-06-01-production and the Wire iOS version 3.81, respectively.