Security [Signal for macOS]: Lack of quarantine meta-attribute for downloaded files leads to GateKeeper bypass

[Metnew]

Bug Description

Report to Brave: https://hackerone.com/reports/374106

1. Signal doesn't handle quarantine properly.
2. Downloaded files bypass Quarantine & Gatekeeper checks
3. Downloaded files are executable in 2 clicks
4. .terminal file can be used for this purpose (it's executable after downloading from the web).

OS

macOS

[Metnew]

🤔

[Metnew]

🤔

[kenpowers-signal]

Sorry, not quite sure I follow. Are you saying that the same issue that applies to Brave applies to downloaded attachments in Signal?

[Metnew]

Exactly this, see for reference:

• https://hackerone.com/reports/430463
• https://hackerone.com/reports/484664
• https://hackerone.com/reports/470637

I also shared my slides about macOS File Quarantine with you (GDrive, email invitation). Please, don't share these slides with others.

Fix: add LSFileQuarantineEnabled=false in Info.plist and make sure auto-updater doesn't quarantine the new version of the app.

[Metnew]

@kenpowers-signal Let me know whether you're going to fix this (and when, if you're), so that I can publish my research and send it to IBB. Thanks

[Metnew]

@kenpowers-signal ^^

[Metnew]

@kenpowers-signal ??

[kenpowers-signal]

Thanks, we're considering this and will update this thread if we decide to change behavior for downloaded files.

[scottnonnenberg-signal]

v1.30.0 introduced quarantine attributes for saved attachments on macOS: 1bf9ca7