No MOTW added when downloading attachments on Windows.

[felixaime]

Using a supported version?

• I have searched searched open and closed issues for duplicates.
• I am using Signal-Desktop as provided by the Signal team, not a 3rd-party package.

Overall summary

Hello,

After reviewing the code and performing some tests with friends, it appears that Signal Desktop for Windows does not apply the Mark of the Web (MOTW) to downloaded files.

MOTW is a Windows security feature based on NTFS ADS streams designed to prevent the easy execution of files originating from the Internet.

Recently, we documented a Russian intrusion set distributing malicious documents to their victims via Signal (under the name "APT28 Operation Phantom Net Voxel"). Since Signal does not use MOTW, the macros embedded in these received documents are not blocked by Microsoft Office’s security mechanisms.

All the best,
Félix

Steps to reproduce

1. Send a file to some user ;
2. Ask the user to download the received file ;
3. Ask the user to look at the "Zone.Identifier" ADS stream with a simple Powershell command line such as :

Get-Content <downloaded-file> -Stream Zone.Identifier

Expected result

Having a Zone.Identifier ADS stream added to each file downloaded from Signal Desktop with :

[ZoneTransfer]
ZoneId=3

Actual result

No Zone.Identifier present on files downloaded from Signal Desktop.

Screenshots

No response

Signal version

7.74.0

Operating system

Windows 10

Version of Signal on your phone

No response

Link to debug log

No response

[ayumi-signal]

Hello, thank you for the report. We will investigate how to apply MOTW for downloads.