Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Signal. Show all posts
Vulnerabilities and Exploits
Cloudfare Discord Signal User Privacy Vulnerabilities and Exploits

Cloudflare CDN Vulnerability Exposes User Locations on Signal, Discord

 

A threat analyst identified a vulnerability in Cloudflare's content delivery network (CDN) which could expose someone's whereabouts just by sending them an image via platforms such as Signal and Discord. While the attack's geolocation capability is limited for street-level tracking, it can provide enough information to determine a person's regional region and track their activities. 

Daniel's discovery is especially alarming for individuals who are really concerned regarding their privacy, such as journalists, activists, dissidents, and even cybercriminals. This flaw, however, can help investigators by giving them further details about the state or nation where a suspect might be. 

Covert zero-click monitoring

Daniel, a security researcher, found three months ago that Cloudflare speeds up load times by caching media resources at the data centre closest to the user. 

"3 months ago, I discovered a unique 0-click deanonymization attack that allows an attacker to grab the location of any target within a 250 mile radius," explained Daniel. "With a vulnerable app installed on a target's phone (or as a background application on their laptop), an attacker can send a malicious payload and deanonymize you within seconds--and you wouldn't even know.” 

To carry out the information-disclosure assault, the researcher would transmit a message to an individual including a unique image, such as a screenshot or a profile avatar, stored on Cloudflare's CDN. 

Subsequently, he exploited a flaw in Cloudflare Workers to force queries through specific data centres via a new tool called Cloudflare Teleport. This arbitrary routing is typically prohibited by Cloudflare's default security limitations, which require that each request be routed from the nearest data centre. 

By enumerating cached replies from multiple Cloudflare data centres for the sent image, the researcher was able to map users' geographical locations based on the CDN returning the closest airport code to their data centre.

Furthermore, since many apps, like Signal and Discord, automatically download images for push notifications, an attacker can monitor a target without requiring user engagement, resulting in a zero-click attack. Tracking accuracy extends from 50 to 300 miles, depending on the location and the number of Cloudflare data centers nearby.
Read more »
Technology
Android interface iOS links Signal Technology

Join Group Calls Easily on Signal with New Custom Link Feature





Signal, the encrypted messaging service, has included new features to make it easier to join group calls, through personalised links. A blog post recently announced the update on the messaging app, setting out to simplify the way of conducting and administering a group call on its service.


Group Calls via Custom Link Easily Accessible


In the past, a group call on Signal began by first making a group chat. Signal recently added features that included automatically creating and sharing a direct link for group calls. Users no longer have to go through that annoying group chat setup just to make the call. To create a call link, one has to open the app and go to the links tab to tap to start a new call link. All links can be given a user-friendly name and include the ability to require approval of any new invitees prior to them joining, adding yet another layer of control.


The call links are also reusable, which is very useful for those who meet regularly, such as weekly team calls. Signal group calling has now been expanded to 50 participants, expanding its utilisation for larger groups.


More Call Control


This update also introduces better management tools for group calls. Users can remove participants if needed and even block them from rejoining if it is needed. That gives hosts more power when it comes to who should have access to the call, which would improve safety and participant management.


New Interactive Features for Group Calls


Besides call links, Signal has also integrated some interactive tools for consumers during group calls. Signal has included a "raise hand" button to enable participants to indicate whether they would want to speak, which makes further efforts to organise group discussions. It also allows support through emoji reactions in calls. The user can continue participating and not interrupt another caller.


Signal has also improved the call control interface so that more manoeuvres are available to mute or unmute a microphone, or turn cameras on or off. This is to ensure more fluidity and efficiency in its use.


Rollout Across Multiple Platforms


The new features are now rolled out gradually across Signal's desktop, iOS, and Android versions. The updated app is available on the App Store for iPhone and iPad users free of charge. In order to enjoy the new features regarding group calling functions, users should update their devices with the latest version of Signal.


Signal has recently added new features to make group calling easier, more organised, and intuitive. It has given the user more freedom to control the calls for both personal use and professional calls.

Read more »
User Data
Cyber Security data security Hacking WhatsApp iOS security macOS Signal Signal app User Data

Major Security Flaw in WhatsApp and Signal MacOS Apps Puts User Data at Risk

 

A significant security warning has emerged for WhatsApp and Signal users this week, urging them to consider deleting their apps, particularly on MacOS. The issue, primarily affecting Apple users leveraging multi-device functionality, highlights severe vulnerabilities in the MacOS versions of these popular messaging platforms. Security researcher Tommy Mysk, known for uncovering critical vulnerabilities, recently disclosed that both WhatsApp and Signal MacOS apps store local data, including chat histories and media attachments, in locations accessible to any app or process running on the device. 

This is a stark contrast to Apple’s iMessage, which, despite storing similar data, uses sandboxing to prevent unauthorized access by other apps. The primary concern lies in how these apps handle local data storage. While WhatsApp and Signal emphasize end-to-end encryption for secure message transmission, this protection is compromised if local data can be accessed by other apps or malware. Mysk explained that the chat histories, the core of what these apps are designed to protect, are not sufficiently safeguarded on MacOS. The vulnerability means that if a malicious app gains access to the device, it could potentially monitor and exfiltrate the unencrypted local data. 

For WhatsApp, this includes both chat histories and media attachments. Mysk warned, “WhatsApp doesn’t encrypt the local database that stores chat histories. It doesn’t encrypt media attachments sent through the chat either. A simple malware could theoretically monitor this data and send it live to a remote server, rendering end-to-end encryption useless.” Signal, on the other hand, does encrypt local chat histories but fails to encrypt media attachments. More concerning is that the encryption key for the local chat history is stored in plain text within the same folder, making it accessible to other apps. This flaw undermines the app’s security, as an attacker could clone the local data folder to another device and restore the session. 

Mysk highlighted, “Signal’s false sense of security extends to their back-end servers. When copying the entire folder containing the app’s local data and moving the copy to a different Mac, an attacker can restore the session. Signal servers let the ‘cloned’ session co-exist with the other legit sessions.” The discovery underscores the persistent risk of endpoint compromise for fully encrypted platforms. While end-to-end encryption protects data in transit, the local storage vulnerabilities in these MacOS apps open potential pathways for remote or physical attacks. 

As users continue to rely on messaging apps for secure communication, these revelations call for immediate action from both WhatsApp and Signal to address these security gaps and reinforce their data protection measures on MacOS. For now, users should remain vigilant and consider the potential risks when using these platforms on their Mac devices.
Read more »
WhatsApp
2FA Android App Bogus Apps Data Breach Pre-installed apps Signal User Data Leak User Privacy WhatsApp

Fake Android App Enables Hackers to Steal Signal and WhatsApp User Data

Cybercriminals have recently developed a highly sophisticated approach to breach the security of both WhatsApp and Signal users, which is concerning. By using a phony Android conversation app, cybercriminals have been able to obtain user information from gullible individuals. There are significant worries regarding the vulnerability of widely used messaging services in light of this new threat.

Cybersecurity experts have reported that hackers have been exploiting a spoof Android messaging software to obtain users' personal information without authorization, specifically from Signal and WhatsApp users. With its slick layout and promises of improved functionality, the malicious app lures users in, only to stealthily collect their personal information.

Using a traditional bait-and-switch technique, the phony software fools users into thinking they are utilizing a reliable chat service while secretly collecting their personal data. According to reports, the software misuses the required rights that users are requested to provide during installation, giving it access to media files, contacts, messages, and other app-related data.

Professionals in cybersecurity have remarked that this technique highlights the growing cunning of cybercriminals in taking advantage of consumers' trust and the weaknesses in mobile app ecosystems. It is emphasized that consumers should exercise caution even when they download programs from official app stores because harmful apps can occasionally evade detection due to evolving evasion strategies.

Researchers studying security issues advise consumers to protect their data right away by taking preventative measures. It is advised to carefully examine user reviews and ratings, confirm the app's permissions before installing, and exercise caution when dealing with unapproved sources. Moreover, setting two-factor authentication (2FA) on messaging apps can provide an additional degree of security against unwanted access.

Signal and WhatsApp have reaffirmed their commitment to user privacy and security in response to this new threat. Users are encouraged to report any suspicious behavior and to remain alert. The event serves as a reminder that users and platform providers alike share responsibility for cybersecurity.

Dr. Emily Carter, a cybersecurity specialist, has stressed that a proactive approach to digital security is crucial in light of the hackers' increasing strategies. Users must be aware of potential risks and exercise caution when interacting with third-party apps, particularly those that request an excessive amount of permissions."

The necessity for ongoing caution in the digital sphere is highlighted by the recent usage of a phony Android chat app to steal user data from Signal and WhatsApp. To avoid becoming a victim of these nefarious actions, consumers need to stay informed and take precautions as hackers continue to improve their techniques. People can contribute to the creation of a safer online environment by keeping up with the most recent cybersecurity trends and best practices.

Read more »
WhatsApp
Elon Musk End-to-End Encrypted Messaging Services Online Safety Bill Signal Technology Twitter WhatsApp

Twitter Launches End-to-End Encrypted Messaging Services


Twitter has become the newest social media platform to be providing encrypted messaging service.

End-to-end Encryption 

Direct messages delivered on the platform will be end-to-end encrypted, i.e. private and only readable by the sender and receiver. However, Chief executive Elon Musk has warned Twitter users to “try it, but don’t trust it yet,” taking into account that it is only an early version of the service.

Only users of Twitter Blue or those connected to verified Twitter accounts are currently able to use the service, which is not yet available to the general public. Additionally, users can only send text and links in conversations for now; media attachments cannot yet be sent.

In a post on its support site, Twitter writes “It was not quite there yet” with encryption. "While messages themselves are encrypted, metadata (recipient, creation time, etc) are not, and neither is any linked content[…]If someone - for example, a malicious insider, or Twitter itself as a result of a compulsory legal process - were to compromise an encrypted conversation, neither the sender or receiver would know," it further read. 

Online Safety Bill Criticized 

Musk indicated his plans to make Twitter into a "super-app" with many features when he purchased it in 2022. There is not really a similar platform in the West to China's super-app WeChat, which can be used for anything from social media and restaurant ordering to payments and texting.

Since then, he has made a number of significant modifications to the social network, such as the addition of a subscription service and the elimination of the previous version of Twitter's blue tick badges, which were designed to combat the spread of disinformation.

For a long time, many Twitter users have demanded that the platform's private messaging function be made more secure. The UK, where the government's Online Safety Bill would impose additional rules for social media companies, reportedly in an effort to safeguard youngsters from abuse, may find Mr. Musk's timing unsettling.

Messaging services WhatsApp and Signal have both criticized this part of the Online Safety Bill, which is presently making its way through Parliament.

They expressed concerns that the legislation might weaken end-to-end encryption, which is seen as a crucial tool by privacy activists and campaigners.

Following this, heads of the two messaging platforms signed a letter demanding a rethink over the bill. According to them, the bill, in its current form, opens the door to "routine, general and indiscriminate surveillance" of personal messages. In regards to this, a Home Office spokesperson stated, "The Online Safety Bill applies to all platforms, regardless of their design and functionality. Therefore, end-to-end encrypted services are in scope and will be required to meet their duties of care to users."

"We have made clear that companies should only implement end-to-end encryption if they can simultaneously uphold public safety. We continue to work with the tech industry to collaborate on mutually agreeable solutions that protect public safety without compromising security," he added.

Read more »
User Security
Data Breach Devices Fraud Leak Phone Privacy Security Signal User User Data User Privacy User Security

Over 1,900 Signal User Data Exposed

 

The attacker involved in the latest Twilio data leak may have obtained phone numbers and SMS registration codes for 1,900 Signal users.

“Among the 1,900 phone numbers, the attacker explicitly searched for three numbers, and we’ve received a report from one of those three users that their account was re-registered,” the Signal team shared on Monday.

Twilio offers phone number verification services (through SMS) to Signal. Earlier this month, several Twilio employees were duped into receiving SMS messages that seemed to be from the company's IT department. The attacker gained access to information pertaining to 125 Twilio client accounts, including Signal's.

“During the window when an attacker had access to Twilio’s customer support systems it was possible for them to attempt to register the phone numbers they accessed to another device using the SMS verification code,” the Signal team explained.

As previously stated, the attacker was able to re-register at least one of the three numbers they specifically sought for.

“All users can rest assured that their message history, contact lists, profile information, whom they’d blocked, and other personal data remain private and secure and were not affected,” the team noted. That’s because that data is stored on the users’ device and Signal has no access to or copy of it. “And this information certainly is not available to Twilio, or via the access temporarily gained by Twilio’s attackers,” the team added.

Unfortunately, if the attacker was successful in re-registering an account, they might impersonate the user by sending and receiving Signal communications from that phone number.

Signal is immediately contacting potentially affected users of this vulnerability through SMS. The business has unregistered Signal on all devices that these 1,900 users are now using (or that an attacker has registered for them) and is requesting that they re-register Signal with their phone number on their preferred device.

Furthermore, they are advising them to enable registration lock (Signal Settings (profile) > Account > Registration Lock) for their account, which is a function that aids in the prevention of this sort of fraud.

The attacker was able to obtain either the phone numbers of 1,900 registered Signal users or the SMS verification code they used to register with Signal as a result of this.

“The kind of telecom attack suffered by Twilio is a vulnerability that Signal developed features like registration lock and Signal PINs to protect against. We strongly encourage users to enable the registration lock. While we don’t have the ability to directly fix the issues affecting the telecom ecosystem, we will be working with Twilio and potentially other providers to tighten up their security where it matters for our users,” the team concluded.
Read more »
Technology
End To End Encryption Secure Messenger Signal Technology

Signal Foundation owner says Telegram is not as secure as it claims

 Marlinspike stated that the security of the Telegram service is low since the personal data of users is on servers without any protection. According to him, this data includes contacts, media files, and every message that was created in unencrypted form. Allegedly, system administrators and engineers have easy access to this information.

Moxie Marlinspike believes that Telegram uses the dubious security protocol MTProto version 2.0, and end-to-end encryption E2EE does not always work.

The developer of the Telegram messenger, Pavel Durov, gave the founder of Signal an answer that simply shocked. He stated that the service stores all messages and user data in the public domain and does not assign itself the status of "the most secure messenger."

Durov wrote that his company still does not disclose personal data to third parties and third-party organizations. He said that any messenger does not give complete privacy to the user. For example, US companies work closely with the FBI and the NSA. According to the legislation of this country, they allow the introduction of backdoors that can become available to government agencies without notification and a court case.

Pavel noted that the Signal Foundation is sponsored by the CIA government agencies and can provide any data even without an official request.

Indeed, there is an opinion that the Signal Foundation is a project of the CIA, which, through intermediary organizations, organizes financial support and implements its agents.

It should be noted that Signal itself was hacked two years ago. The Israeli company Cellebrite, a developer of spyware, has gained access to the messages and attachments of the messenger. At the moment, the company cooperates with the governments of many countries and can provide access to the service.

Read more »
Zero-Day Bug
Android App Signal Vulnerabilities and Exploits Zero-Day Bug

Signal Patches Zero-Day Bug in its Android App

 

Signal has patched a critical flaw in its Android app that, in some circumstances, sent random unintended images to contacts without an obvious explanation. 

The flaw was first reported in December 2020 by Rob Connolly on the app's GitHub page. Despite being known for months, Signal has fixed the bug only recently. While the team faced a backlash over this delay, Greyson Parrelli, Signal’s Android developer confirmed fixing the bug recently. As per his response on the same GitHub thread, Signal has patched the flaw with the release of the Signal Android app version 5.17. 

When a user sends an image via the Signal Android app to one of his contacts, the contact would occasionally receive not just the selected image, but additionally a few random, unintended images, that the sender had never sent out, Connolly explained. 

“Standard conversation between two users (let’s call them party A and party B). Party A shares a gif (from built-in gif search). Party B receives the gif, but also some other images, which appear to be from another user (party A has searched their phone and does not remember the images in question). Best case the images are from another contact of B and messages got crossed, worst case they are from an unknown party, who's [sic] data has now been leaked,” Connolly told while describing the flaw. 

At this time, the flaw seems to have only impacted the Android version of the app. Signal Android app users should update to the latest version of the app, available on the Google Play store, researchers advised.

Last year in May 2020, cybersecurity researchers at Tenable discovered a flaw in the secure messaging app Signal which allowed threat actors to track user’s locations. Threat actors can track user’s movements just by calling their Signal number — whether or not the user had his contact information. This could be a big problem for victims of stalking, or for activists and journalists who are trying to avoid government or law enforcement detection to leak information or act in a whistleblower capacity, researcher David Wells wrote.

“That feature is not well advertised, and it’s interesting that someone could disclose your location if they’re your contact. Let’s say I have a burner phone and I just ring your phone, and I do it so quickly that all you see is a missed call from some number. Usually, it’ll be somewhat near you. So, I can force that DNS server [near you] to talk to me. By getting that information, I know what DNS server you’re using and I can determine your general location,” Wells explained.
Read more »
Subscribe to: Posts (Atom)