THN

Signal Messenger Bug Lets Callers Auto-Connect Calls Without Receivers’ Interaction

signal messenger vulnerabilitysignal messenger vulnerability

Almost every application contains security vulnerabilities,
some of which you may find today, but others would remain invisible
until someone else finds and exploits them—which is the harsh
reality of cybersecurity and its current state.

And when we say this, Signal Private Messenger—promoted
as one of the most secure messengers in the world—isn’t any
exception.

Google Project Zero researcher Natalie Silvanovich discovered a
logical vulnerability in the Signal messaging app for Android that
could have allowed a caller to force a call to be answered at the
receiver’s end without requiring his/her interaction.

In other words, the flaw could have allowed attackers to simply
turn on the microphone of a targeted Signal user’s device and
listen to all conversations surrounding the phone.

However, it should be noted that the Signal vulnerability can
only be exploited if the receiver fails to answer an audio call
over Signal, eventually forcing the incoming call to be
automatically answered on the receiver’s device.

“In the Android client, there is a method handleCallConnected that
causes the call to finish connecting. During normal use, it is
called in two situations: when the callee device accepts the call
when the user selects ‘accept,’ and when the caller device receives
an incoming “connect” message indicating that the callee has
accepted the call,” Silvanovich explains in the Chromium
blog[1].

“Using a modified client, it is possible to send the “connect”
message to a callee device when an incoming call is in progress but
has not yet been accepted by the user. This causes the call to be
answered, even though the user has not interacted with the device.”

To be noted, “the connected call will only be an audio call, as the
user needs to manually enable video in all calls.”
Silvanovich also mentioned that
“Signal has this large remote attack surface due to limitations in
WebRTC,” and the design flaw also affects the iOS version of the
messaging app, but can not be exploited because “the call is not
completed due to an error in the UI caused by the unexpected
sequence of states.”

Silvanovich reported this vulnerability to the Signal security
team last month. The company acknowledged the issue and patched it
in the latest Android version of Signal Private Messenger.

What’s your take? Let me write it down for you again—go and
update the Signal Private
Messenger[3] app on your Android
phone from Google Play Store and make sure you always run
up-to-date apps.

[2]

References

  1. ^
    Chromium blog
    (bugs.chromium.org)
  2. ^
    mentioned
    (twitter.com)
  3. ^
    Signal Private Messenger
    (play.google.com)

Read more

.An African People Search Engine Business directory and Entertainment Portal . Powered by The Swordpress Blog and the folks @ ojoojoo.com and Dotifi Web hosting

Submit A Place
Help Us Review This SwordPress !

RSS Latest News

[activity-stream]
THE HITCH hikers guide to Nigeria JobScout | Developed By Rara Theme. Powered by WordPress.
Get Mobile App Get Mobile App
Get Mobile App