Conversation

Notices

1. Embed this notice
   Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:30:12 JST Michał "rysiek" Woźniak · 🇺🇦

   Update Signal and pay attention when joining groups:
   https://www.wired.com/story/russia-signal-qr-code-phishing-attack/

   👉 No, Signal has not been compromised
   👉 No, Signal encryption has not been broken
   👉 No, there is no back-door in Signal

   You should continue using Signal. The update is responding to a sophisticated, state-level attack targeting specific groups.

   Unless you are a high-value target, you are almost certainly never going to see this in the wild.

   If you know you are a high-value target, ask your support.

   #InfoSec #Signal

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 22:30:08 JST Rich Felker

     in reply to

     @rysiek Linkdevice workflow should need to be initiated from the device that already has access not the side that wants to get access.

     This sounds like a variant on the long unfixed Discord "Scan QR Code" account takeover vector.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:30:09 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     That sgnl://linkdevice URL is also handled by Signal app on mobile, but instead it links that mobile client to another client (like Signal Desktop).

     Apparently what the update does is it adds a confirmation dialog before a device is linked, and then double checks for a while at random intervals.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:30:11 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     Technical details in the report:
     https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger

     The tl;dr is:

     Signal uses https://signal[.]group/#hash-fragment links in QR codes that allow people to join groups. Group identifier is in the hash-fragment.

     The link loads in a browser first. A bit of JS redirects it to a sgnl://signal[.]group/hash-fragment link that is then handled directly by Signal app on mobile.

     Malicious QR codes use a different domain (list in the report) and redirect to a sgnl://linkdevice URL instead.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 22:47:15 JST Rich Felker

     in reply to

     @rysiek 1. Client generates cryptographic secret sent to cloud infrastructure when you go to "link device" on client.

     2. Device you want to link pulls this secret associated with account id you want to link. Fails if client for account is not in linking process already. Displays QR code.

     3. Existing client scans QR code, only links if secret matches.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:47:16 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Rich Felker

     @dalias absolutely!

     I can see how that's complicated here – Signal app is the one that has access, but is also on the device that is easier to scan QR codes on.

     So it kinda makes sense, from usability perspective, to initiate it with a QR code displayed in Signal Desktop, and scanned on the mobile device.

     Not sure what the solution here is, but I agree with you it should be the other way around.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:55:08 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Rich Felker
     • pettter

     @pettter :100a:

     But also, as @dalias noted, this flow has no business being initiated from the device that wants to be linked:
     https://hachyderm.io/@dalias/114030792304413072

   • Embed this notice
     pettter (pettter@social.accum.se)'s status on Wednesday, 19-Feb-2025 22:55:09 JST pettter

     in reply to

     @rysiek Well that's something at least, but holy shit we've really fucked up how people react to confirmation dialogues haven't we? ("We" being software developers as a collective)

     Rich Felker repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 22:55:10 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • pettter

     @pettter there was a confirmation dialog. Now it requires you to go to a specific part of the app and scan it again:
     https://github.com/signalapp/Signal-Android/commit/112874c08019a40b6f8f1dbbf84eb0ab4d796582

   • Embed this notice
     pettter (pettter@social.accum.se)'s status on Wednesday, 19-Feb-2025 22:55:12 JST pettter

     in reply to

     @rysiek They didn't already do that!? You could just link devices from scanning a QR code with no further interaction!?

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 22:59:21 JST Rich Felker

     in reply to

     • pettter

     @pettter @rysiek This "wrong workflow direction" security design bug is just something nearly everyone gets wrong...

   • Embed this notice
     pettter (pettter@social.accum.se)'s status on Wednesday, 19-Feb-2025 22:59:22 JST pettter

     in reply to

     • Rich Felker

     @rysiek Yeah no shit. I'm not sure how I feel about Signal having this kind of honestly quite shoddy security engineering. The safest device is the one you don't use, and the most useful device is the one everyone can access to do everything, but to me this feels very much like another case of Signal wanting to have their cake (marketing themselves as critical security infra for dissidents) and eat it too (making usability tradeoffs that don't support that threat model).. @dalias

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 23:14:50 JST Rich Felker

     in reply to

     • pettter

     @pettter @rysiek Half of those criticisms are poorly founded stuff spewed by anti-Signal circles with agendas. For example Stories was the key feature to displace very bad insecure shit in large parts of the world, and they did an actually secure/private version of it.

     Signal is not the final place we need to be, but they're the only player who has a short term hope of replacing awful stuff by not having big feature regressions for normies who switch. Meanwhile we'll keep advancing better stuff (VeilidChat, Cwtch) for eventual mainstream audiences.

     Haelwenn /элвэн/ :triskell: likes this.
   • Embed this notice
     pettter (pettter@social.accum.se)'s status on Wednesday, 19-Feb-2025 23:14:52 JST pettter

     in reply to

     • Rich Felker

     @dalias I don't know, I'm not deep in the field, but Signal is just one of those companies which continually has made choices that baffle me. Tying user ID to phone numbers and leaking Signal usage through contact lists, refusing federation and secure distribution through f-droid, implementing Stories and fucking cryptocurrency integration instead of useful group chat features (moderation tools, subchannels).. @rysiek

   • Embed this notice
     pettter (pettter@social.accum.se)'s status on Wednesday, 19-Feb-2025 23:14:53 JST pettter

     in reply to

     • Rich Felker

     @dalias Sure, but this should make it a well-known security concern, which a company that explicitly markets themselves as The Safest Option For Whistleblowers should know about and know to avoid. @rysiek

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 23:33:13 JST Rich Felker

     in reply to

     • pettter

     @rysiek @pettter SimpleX is by rw coinbro asshats and is hypeware, Cwtch is by awesome folks and has real serious privacy properties.

   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Wednesday, 19-Feb-2025 23:33:14 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Rich Felker
     • pettter

     @dalias @pettter thoughts on Cwtch vs SimpleX?

   • Embed this notice
     Tris (triskelion@fosstodon.org)'s status on Wednesday, 19-Feb-2025 23:50:20 JST Tris

     in reply to

     • Rich Felker
     • pettter

     @dalias @rysiek @pettter IIRC, Simple X has investment from Jack Dorsey too

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 23:50:41 JST Rich Felker

     in reply to

     • Tris
     • pettter

     @triskelion @rysiek @pettter LMAO of course it does.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 19-Feb-2025 23:55:19 JST Rich Felker

     in reply to

     • pettter

     @rysiek @pettter Compare this https://hachyderm.io/@dalias/114016554675938466 to getting greeted by a bunch of nazi recommended groups when you launch the app.

   • Embed this notice
     Tris (triskelion@fosstodon.org)'s status on Thursday, 20-Feb-2025 01:11:07 JST Tris

     in reply to

     • Rich Felker
     • pettter

     @rysiek @dalias @pettter I did have SimpleX installed, I got a notification from their official update channel or account there. I deleted the app immediately xD

     Rich Felker repeated this.
   • Embed this notice
     Michał "rysiek" Woźniak · 🇺🇦 (rysiek@mstdn.social)'s status on Thursday, 20-Feb-2025 01:11:09 JST Michał "rysiek" Woźniak · 🇺🇦

     in reply to

     • Rich Felker
     • Tris
     • pettter

     @triskelion lolwat?

     Do you have a link?

     @dalias @pettter

     Rich Felker repeated this.
   • Embed this notice
     Tris (triskelion@fosstodon.org)'s status on Thursday, 20-Feb-2025 01:17:33 JST Tris

     in reply to

     • Rich Felker
     • pettter

     @rysiek @dalias @pettter and https://www.wired.com/story/neo-nazis-flee-telegram-encrypted-app-simplex/

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Thursday, 20-Feb-2025 01:17:33 JST Rich Felker

     in reply to

     • Tris
     • pettter

     @triskelion @rysiek @pettter SimpleX: developed by nazis, courting nazis.

   • Embed this notice
     Tris (triskelion@fosstodon.org)'s status on Thursday, 20-Feb-2025 01:17:34 JST Tris

     in reply to

     • Rich Felker
     • pettter

     @rysiek @dalias @pettter https://simplex.chat/blog/20240814-simplex-chat-vision-funding-v6-private-routing-new-user-experience.html

     Ah, here's the link