■■■□□ Interesting thread | 𝕏
Deep dive into the Signal arbitrary deletion vulnerability I discovered in Signal Desktop:
In Signal Desktop, attachments are stored in a designated folder (typically “attachments.noindex”). The deletion logic resolves this folder’s absolute path using fs.realpathSync, which inherently follows symbolic links.
https://x.com/jipisback/status/1894682205500088793