Cyber Citadel's Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed an HTML Injection vulnerability found in the Turtl Notes application, which could lead to a potential RCE and NTLMv2 hash disclosure.
Turtl Notes is a cross-platform note-taking and collaboration application that markets itself as a secure alternative to tools like Evernote. With over 10,000 downloads on Google Play and a strong emphasis on privacy, the application uses 2,048-bit key encryption and DDoS protection to safeguard user data. However, the HTML Injection vulnerability discovered by Cyber Citadel researchers exposed a critical flaw that undermined these protections.
About Turtl Notes
Turtl Notes provides a range of features designed for secure collaboration. The application supports cross-platform use across Windows, Mac, Linux and Android, allowing users to create notebooks, organise notes and share them with other users. Notes are synchronised across devices, enabling seamless access from any platform. Users can also share individual notes or entire notebooks with other Turtl users and via email.
The application's security model relies heavily on client-side encryption, with all data encrypted before it leaves the user's device. This approach means that even the Turtl servers cannot access the plaintext content of notes, providing a strong privacy guarantee under normal circumstances.
The Vulnerability
Despite its impressive encryption and firewall protections, the Turtl Notes application was found to be vulnerable to HTML Injection. This vulnerability could be exploited to achieve Remote Code Execution (RCE) through the abuse of arbitrary URI schemes.
HTML Injection leading to RCE represents a critical security flaw. By injecting crafted HTML content into a shared note, an attacker could execute arbitrary code on the victim's machine when the note is opened.
The attack chain works by exploiting the way Turtl renders HTML content within notes. Because the application does not properly sanitise user input, an attacker can inject malicious HTML that, when rendered by the application's embedded browser engine, can trigger the execution of arbitrary URI schemes. This can lead to remote code execution on the victim's system and the disclosure of NTLMv2 hashes, which can be used for further attacks including credential relay and offline password cracking.
Vendor Response
The vulnerability details are as follows:
- Application: Turtl Notes v0.7.2.6
- Affected Platforms: Windows, Mac, Linux, Android
- Date Reported: 11 December 2021
- Status: Unfixed at time of disclosure
- CVE: Processing
At the time of publication, the vulnerability remained unfixed. The CVE assignment was still being processed. Users of Turtl Notes should exercise caution when opening notes shared by untrusted parties and should monitor for updates from the Turtl development team.