Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
hachyderm.io is one of the many independent Mastodon servers you can use to participate in the fediverse.
Hachyderm is a safe space, LGBTQIA+ and BLM, primarily comprised of tech industry professionals world wide. Note that many non-user account types have restrictions - please see our About page.

Administered by:

Server stats:

9.6K
active users

hachyderm.io: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.5

Public
Michał "rysiek" Woźniak · 🇺🇦

Update Signal and pay attention when joining groups:
wired.com/story/russia-signal-

👉 No, Signal has not been compromised
👉 No, Signal encryption has not been broken
👉 No, there is no back-door in Signal

You should continue using Signal. The update is responding to a sophisticated, state-level attack targeting specific groups.

Unless you are a high-value target, you are almost certainly never going to see this in the wild.

If you know you are a high-value target, ask your support.

WIRED · A Signal Update Fends Off a Phishing Technique Used in Russian EspionageBy Andy Greenberg
#InfoSec#Signal
Public
Michał "rysiek" Woźniak · 🇺🇦

Technical details in the report:
cloud.google.com/blog/topics/t

The tl;dr is:

Signal uses https://signal[.]group/#hash-fragment links in QR codes that allow people to join groups. Group identifier is in the hash-fragment.

The link loads in a browser first. A bit of JS redirects it to a sgnl://signal[.]group/hash-fragment link that is then handled directly by Signal app on mobile.

Malicious QR codes use a different domain (list in the report) and redirect to a sgnl://linkdevice URL instead.

Google Cloud BlogSignals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger | Google Cloud BlogRussia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.
Quiet public *
Michał "rysiek" Woźniak · 🇺🇦

That sgnl://linkdevice URL is also handled by Signal app on mobile, but instead it links that mobile client to another client (like Signal Desktop).

Apparently what the update does is:
- it asks the person using the mobile app to explicitly enter link-new-device flow;
- and then double checks for a while at random intervals if the person really intended to link a new device.

One of the relevant commits:
github.com/signalapp/Signal-An

GitHubAdd new copy for linked device dialogs. · signalapp/Signal-Android@112874cA private messenger for Android. Contribute to signalapp/Signal-Android development by creating an account on GitHub.
Cassandrich

@rysiek Linkdevice workflow should need to be initiated from the device that already has access not the side that wants to get access.

This sounds like a variant on the long unfixed Discord "Scan QR Code" account takeover vector.

Feb 19, 2025, 01:30 PM·Quiet public·Web
1boost·6favorites
Quiet public
Michał "rysiek" Woźniak · 🇺🇦

@dalias absolutely!

I can see how that's complicated here – Signal app is the one that has access, but is also on the device that is easier to scan QR codes on.

So it kinda makes sense, from usability perspective, to initiate it with a QR code displayed in Signal Desktop, and scanned on the mobile device.

Not sure what the solution here is, but I agree with you it should be the other way around.

Quiet public *
Cassandrich

@rysiek 1. Client generates cryptographic secret sent to cloud infrastructure when you go to "link device" on client.

2. Device you want to link pulls this secret associated with account id you want to link. Fails if client for account is not in linking process already. Displays QR code.

3. Existing client scans QR code, only links if secret matches.

Edit: To be clear, this isn't complete and doesn't authenticate the other direction, which you still need to do as well (new device also generates a secret).

ExploreLive feeds
About