HTML Injection vulnerability found in Turtl Notes, disclosed by Cyber Citadel researchers, could affect iOS and Android users.

Cyber Citadel’s Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed an HTML Injection vulnerability found in the Turtl Notes application, which could lead to a potential RCE and NTLMv2 hash disclosure via abusing the arbitrary URI schemes.

Turtl Notes user interface
Turtl Notes user interface

Turtl Notes

Turtl Notes is a cross-platform application that focuses on note-taking collaboration. The online service provides users with a notebook sharing platform that allows notes to be organised easily, synchronised across devices, shared with other Turtl users and shared via email. The application has been downloaded 10,000+ times on Google Play and an unknown number of times from the Turtl’s website for Windows, OSX, Linux, Android and iOS.

While Turtl encrypts user data, with an impressive 2,048-bit key encryption system, and boasts the implementation of high-grade firewalls, that protect from DDoS attacks, the HTML Injection vulnerability, found by Rafay Baloch and Muhammad Samak, has exposed a critical flaw in Turtl’s software.

Turtl remote code execution POC
Turtl remote code execution POC
Evidence of Turtle RCE Vulnerability
Evidence of Turtle RCE vulnerability

Response from Vendors

VendorServiceVersionPlatformReported DateFixedCVE
TurtlTurtl Notes0.7.2.6Windows, Mac, Linux, Android11/12/2021N/AProcessing